You configure the Mobile SSO foriOS authentication method from the Auth Methods page in the administration console. Select the Mobile SSO (for IOS) authentication method to use in the built-in identity provider.
Certificate authority PEM or DER file used to issue certificates to users in the AirWatch tenant.
For revocation checking, the OCSP responder's signing certificate.
For the KDC service select, the realm name of the KDC service. If using the built-in KDC service, the KDC should be initialized. See the Installing and Configuring VMware Identity Manager for the built-in KDC details.
- In the Identity & Access Management tab, go to .
- In the Mobile SSO (for iOS) Configure column, click the icon.
- Configure the Kerberos authentication method.
Enable KDC Authentication
Select this check box to enable users to sign in using iOS devices that support Kerberos authentication.
If you are using the cloud hosted KDC, enter the pre-defined supported realm name that is supplied to you. The text in this parameter must be entered in all caps. For example, OP.VMWAREIDENTITY.COM
If you are using the built-in KDC, the realm name that you configured when you initialized the KDC displays.
The realm value is read-only. The realm entered here is the identity manager realm name for your tenant.
Root and Intermediate CA Certificate
Upload the certificate authority issuer certificate file. The file format can be either PEM or DER.
Uploaded CA Certificate Subject DNs
The content of the uploaded certificate file is displayed here. More than one file can be uploaded and whatever certificates that are included are added to the list.
Select the check box to use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate.
Send OCSP Nonce
Select this check box if you want the unique identifier of the OCSP request to be sent in the response.
OCSP Responder’s Signing Certificate
Upload the OCSP certificate for the responder.
When you are using the AirWatch Certificate Authority, the issuer certificate is used as the OCSP certificate. Upload the AirWatch certificate here as well.
OCSP Responder’s Signing Certificate Subject DN
The uploaded OCSP certificate file is listed here.
Create a custom sign-in message that displays when authentication is taking too long. If you do not create a custom message, the default message is
Attempting to authenticate your credentials.
Enable Cancel Link
When authentication is taking too long, give users the ability to click Cancel to stop the authentication attempt and cancel the sign-in.
When the Cancel link is enabled. Cancel appears at the end of the authentication error message that displays.
Enterprise Device Management Server URL
Enter the Mobile Device Management (MDM) server URL to redirect users when access is denied because the device is not enrolled into AirWatch for MDM management. This URL displays in the auth failure error message. If you do not enter a URL here, the generic Access Denied message displays.
- Click Save.
What to do next
Associate the Mobile SSO (for iOS) authentication method in the built-in identity provider.
Configure the default access policy rule for Kerberos authentication for iOS devices. Make sure that this authentication method is the first method set up in the rule.
Go to the AirWatch admin console and configure the iOS device profile inAirWatch and add the KDC server certificate issuer certificate from VMware Identity Manager.