To push the identity provider settings to the device, create and deploy the Apple iOS device profile in Workspace ONE UEM. This profile setting includes the information necessary for the device to connect to the Workspace ONE Access service and the certificate that the device uses to authenticate.

To allow iOS devices to connect to the Workspace ONE Access identity provider, first use Workspace ONE UEM to create and deploy the Apple iOS device profile, then assign the profile to a smart group.

Prerequisites

  • Built-in Kerberos configured in Workspace ONE Access.
  • A mobile iOS authentication rule configured in the Workspace ONE Access default access policy.
  • Workspace ONE Access KDC server root certificate file saved to a computer that can be accessed from the Workspace ONE UEM console.
  • Certificate enabled and downloaded from the Workspace ONE UEM console System > Enterprise Integration > Workspace ONE Access page.
  • List of URLs and application bundle IDs that use Built-in Kerberos authentication on iOS devices.

Procedure

  1. In the Workspace ONE UEM console, navigate to Devices > Profiles & Resources > Profile > Add Profile and select Apple IOS.
  2. Configure the profile’s General settings and enter the name of the device as iOSKerberos.
  3. In the left navigation pane, select SCEP > Configure to configure the credential.
    Option Description
    Credential Source Select AirWatch Certificate Authority from the drop-down menu.
    Certificate Authority Select the AirWatch Certificate Authority from the drop-down menu.
    Certificate Template Select Single Sign On to set the type of certificate that is issued by the AirWatch Certificate Authority.
  4. Click Credentials > Configure and create a second credential.
  5. In the Credential Source drop-down menu, select Upload.
  6. Enter the iOS Kerberos credential name.
  7. Click Upload to upload the Workspace ONE Access KDC server root certificate that is downloaded from the Identity & Access Management > Manage > Identity Providers > Built-in Identity provider page.
  8. In the left navigation pane, select Single Sign-On.
  9. Enter the connection information.
    Option Description
    Account Name Enter Kerberos.
    Kerberos Principal Name Click + and select {EnrollmentUser}.
    Realm

    For tenant deployments in the cloud, enter the Workspace ONE Access realm name for your tenant. The text in this parameter must be capitalized. For example, VMWAREIDENTITY.COM.

    For on premises deployments, enter the realm name you used when you initialized KDC in the Workspace ONE Access machine. For example, EXAMPLE.COM.

    Renewal Certificate

    On iOS 8 and later devices, select the certificate used to reauthenticate the user automatically without any need for user interaction when the user's single sign-on session expires.

    URL Prefixes Enter the URL prefixes that must match to use this account for Kerberos authentication over HTTP.

    For tenant deployments in the cloud, enter the Workspace ONE Access server URL as https://<tenant>.vmwareidentity.<region>.

    For on premises deployments, enter the Workspace ONE Access server URL as https://myco.example.com.

    Applications Enter the list of application identities that are allowed to use this sign-in. To perform single sign-on using iOS built-in Safari browser, enter the first application bundle ID as com.apple.mobilesafari. Continue to enter application bundle IDs. The applications listed must support SAML authentication.
  10. Click Save & Publish.

Results

When the iOS profile is successfully pushed to users' devices, users can sign in to Workspace ONE Access using the Built-in Kerberos authentication method without entering their credentials.

What to do next

Assign the device profile to a smart group. Smart groups are customizable groups that determine which platforms, devices, and users receive an assigned application, book, compliance policy, device profile, or provision. See Assign a Workspace ONE UEM Device Profile to Smart Groups