Create and deploy the Apple iOS device profile in Workspace ONE UEM to push the Identity Provider settings to the device. This profile contains the information necessary for the device to connect to the VMware Identity Provider and the certificate that the device used to authenticate. Enable single sign-on to allow seamless access without requiring authentication into each app.


  • Mobile SSO for iOS is configured in VMware Identity Manager.

  • iOS Kerberos certificate authority file saved to a computer that can be accessed from the Workspace ONE UEM admin console.

  • Your Certificate Authority and Certificate Template is properly configured in Workspace ONE UEM.

  • List of URLs and application bundle IDs that use Mobile SSO for iOS authentication on iOS devices.


  1. In the Workspace ONE UEM console, navigate to Devices >Profiles & Resources > Profiles .
  2. Select Add > Add Profile and select Apple iOS.
  3. Enter the name as iOSKerberos and configure the General settings.
  4. In the left navigation pane, select Credentials > Configure to configure the credential.



    Credential Source

    Select Defined Certificate Authority from the drop-down menu.

    Certificate Authority

    Select the certificate authority from the list in the drop-down menu.

    Certificate Template

    Select the request template that references the certificate authority from the drop-down menu. This is the certificate template created in Adding the Certificate Template in Workspace ONE UEM.

  5. Click + in the lower right corner of the page again and create a second credential.
  6. In the Credential Source drop-down menu, select Upload.
  7. Enter a credential name.
  8. Click Upload to upload the KDC server root certificate that is downloaded from the Identity & Access Management > Manage > Identity Providers > Built-in Identity provider page.
  9. In the left navigation pane, select Single Sign-On and click Configure.
  10. Enter the connection information.



    Account Name

    Enter Kerberos.

    Kerberos Principal Name

    Click + and select {EnrollmentUser}.


    For tenant deployments in the cloud, enter the Identity Manager realm name for your tenant. The text in this parameter must be capitalized. For example, VMWAREIDENTITY.COM.

    For on premises deployments, enter the realm name you used when you initialized KDC in the VMware Identity Manager appliance. For example, EXAMPLE.COM

    Renewal Certificate

    Select Certificate #1 from the drop-down menu. This is the Active Directory CA cert that was configured first under credentials.

    URL Prefixes

    Enter the URL prefixes that must match to use this account for Kerberos authentication over HTTP.

    For tenant deployments in the cloud, enter the VMware Identity Manager server URL as https://<tenant>.vmwareidentity.<region>.

    For on premises deployments, enter the VMware Identity Manager server URL as


    Enter the list of application identities that are allowed to use this sign-on. To perform single sign-on using iOS built-in Safari browser, enter the first application bundle ID as Continue to enter application bundle IDs. The applications listed must support SAML authentication.

  11. Click Save & Publish.

What to do next

Assign the device profile to a smart group. Smart groups are customizable groups that determine which platforms, devices, and users receive an assigned application, book, compliance policy, device profile, or provision.