You configure the Mobile SSO foriOS authentication method from the Auth Methods page in the administration console. Select the Mobile SSO (for IOS) authentication method to use in the built-in identity provider.


  • Certificate authority PEM or DER file used to issue certificates to users in the AirWatch tenant.

  • For revocation checking, the OCSP responder's signing certificate.

  • For the KDC service select, the realm name of the KDC service. If using the built-in KDC service, the KDC should be initialized. See the Installing and Configuring VMware Identity Manager for the built-in KDC details.


  1. In the Identity & Access Management tab, go to Manage > Auth Methods.
  2. In the Mobile SSO (for iOS) Configure column, click the icon.
  3. Configure the Kerberos authentication method.



    Enable KDC Authentication

    Select this check box to enable users to sign in using iOS devices that support Kerberos authentication.


    If you are using the cloud hosted KDC, enter the pre-defined supported realm name that is supplied to you. The text in this parameter must be entered in all caps. For example, OP.VMWAREIDENTITY.COM

    If you are using the built-in KDC, the realm name that you configured when you initialized the KDC displays.

    The realm value is read-only. The realm entered here is the identity manager realm name for your tenant.

    Root and Intermediate CA Certificate

    Upload the certificate authority issuer certificate file. The file format can be either PEM or DER.

    Uploaded CA Certificate Subject DNs

    The content of the uploaded certificate file is displayed here. More than one file can be uploaded and whatever certificates that are included are added to the list.

    Enable OCSP

    Select the check box to use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate.

    Send OCSP Nonce

    Select this check box if you want the unique identifier of the OCSP request to be sent in the response.

    OCSP Responder’s Signing Certificate

    Upload the OCSP certificate for the responder.

    When you are using the AirWatch Certificate Authority, the issuer certificate is used as the OCSP certificate. Upload the AirWatch certificate here as well.

    OCSP Responder’s Signing Certificate Subject DN

    The uploaded OCSP certificate file is listed here.

    Cancel Message

    Create a custom sign-in message that displays when authentication is taking too long. If you do not create a custom message, the default message is Attempting to authenticate your credentials.

    Enable Cancel Link

    When authentication is taking too long, give users the ability to click Cancel to stop the authentication attempt and cancel the sign-in.

    When the Cancel link is enabled. Cancel appears at the end of the authentication error message that displays.

    Enterprise Device Management Server URL

    Enter the Mobile Device Management (MDM) server URL to redirect users when access is denied because the device is not enrolled into AirWatch for MDM management. This URL displays in the auth failure error message. If you do not enter a URL here, the generic Access Denied message displays.

  4. Click Save.

What to do next

  • Associate the Mobile SSO (for iOS) authentication method in the built-in identity provider.

  • Configure the default access policy rule for Kerberos authentication for iOS devices. Make sure that this authentication method is the first method set up in the rule.

  • Go to the AirWatch admin console and configure the iOS device profile inAirWatch and add the KDC server certificate issuer certificate from VMware Identity Manager.