Configure mobile single sign-on (SSO) to allow users from Workspace ONE UEM enrolled devices to log in to their enabled applications securely without entering multiple passwords.

The devices that can be configured for SSO are iOS and Android devices.

iOS Single Sign-On Component Configuration

Mobile single sign-on for iOS uses the PKINIT Kerberos protocol for certificate transport, but does not require an on premises infrastructure. A built-in Kerberos adapter is available in the service, which can handle iOS authentication without the need for device communication to your internal domain controller. In addition, Workspace ONE UEM can distribute identity certificates to devices, eliminating the requirement to maintain an on-premises CA.

Supported Devices

  • iOS Version 9 and later

Android Single Sign-On Component Configuration

Mobile single sign-on (SSO) for Android is an implementation of the certificate authentication method for Workspace ONE UEM-managed Android devices. With mobile SSO, users to sign in to their device and securely access their Workspace ONE apps without reentering a password.

The VMware Tunnel mobile app is installed on the Android device to add certificate and device ID information into authentication flows. The Tunnel settings are configured in the Workspace ONE UEM console to access the Workspace ONE Access service for authentication, and the service retrieves the certificate from the device for authentication.

Supported Devices

  • Android 4.4 and later
  • Applications must support SAML or another supported federation standard.

Deploying the Intelligent Hub app to all Android devices does not automatically deploy the application Android for Work containers. Android for Work is required to use the Workspace ONE application Adaptive Management feature. To add this application to Android for Work devices as well and for more detail on the additional options available as part of Workspace ONE UEM MAM, review the Workspace ONE UEM Integration with Android for Work guide.