In VMware Identity Manager, the External Access Token authentication method is unique to the AirWatch integration and is required for both single sign-on (SSO) and triggering the out-of-box experience (OOBE) in Workspace ONE on Windows 10 devices.


When using AirWatch External Access Token authentication, the AirWatch Cloud Connector component of VMware Enterprise Systems Connector must be deployed and configured.

  • External Access Token Authentication enabled on the AirWatch page in the Identity & Access Management tab.

  • Microsoft Azure Active Directory service configured.

  • AirWatch Provisioning Service for Windows 10 devices configured.

The configuration of External Access Token is read-only and is based off the AirWatch configuration in VMware Identity Manager. The exception is the token lifetime field.


  1. To review and manage the configuration, in the Identity & Access Management tab, select Authentication Methods.
  2. In the Airwatch External Access Token Configure column, click the pencil icon.
  3. Review the configuration.



    Enable AirWatch External Access Token

    This check box is enabled on the AirWatch page.

    AirWatch Admin Console URL

    Pre-populated with the AirWatch URL.

    AirWatch API Key

    Pre-populated with the AirWatch Admin API key.

    Certificate Used for Authentication

    Pre-populated with the AirWatch Cloud Connector certificate.

    Password for Certificate

    Pre-populated with the password for the AirWatch Cloud Connector certificate.

    AirWatch External Access Token Lifetime in Seconds

    The access token is used to validate the authentication with VMware Identity Manager. Access tokens have a limited lifetime. The time configured is the maximum time that the access token is valid. The token life is editable and defaulted to 600 seconds, which is 10 minutes.

    If the access token expires, users are prompted to authenticate again in the Workspace ONE application.

  4. Click Save.

What to do next

Associate the AirWatch External Access Token authentication method in the built-in identity provider. See Configure Built-in Identity Providers

After the AirWatch External Access Token is associated to the built-in identity provider, create an access policy rule to use this auth method. See Create Access Policy for Workspace ONE Out-of-Box Experience Process.