Using my Lab CA for IOS Mobile SSO

If you have configured Mobile SSO for IOS or you looking at configuring Mobile SSO but would rather use your own CA instead of using the built-in CA within Workspace ONE UEM – this blog will walk you through the steps to configure this in your lab environment.

In this blog I’m going to make multiple reference my previous blog on Setting up a 3rd Party CA with Workspace ONE.

Disclaimer: These instructions will guide you through the process of setting up your CA in a lab environment. Please consult professional services for anything on production.

This blog assumes that you already have Active Directory Certificate Services already installed and configured.

A Workspace ONE UEM Cloud Connector is required for this configuration.

Creating a Service Account

Follow the Steps on Creating a Service Account. If you followed my previous blog you can use the same service account for the Mobile SSO certificate.

Creating a Certificate Template

  1. On your Windows Active Directory Certificate Services server, open Certification Authority.
  2. Right Click on Certificate Templates and Click Manage
  1. Locate the “Kerberos Authentication” template and Right mouse and Select Duplicate Template
  1. Provide a Name for the Certificate (Don’t use any spaces in the template name) and uncheck “Publish Certificate in Active Directory”
    Note: If this box was checked, certificates will be created in the service account used to enroll certs.
  1. Click OK
  2. Right mouse on the new template and click Properties
  3. Go to the Security Tab and assign the service account the ‘Read’ and ‘Enroll’ permissions
  4. Click Subject Name Tab and Select “Supply in the Request”
  5. Select OK to the Warning and Click OK again.
  6. Click on the Extensions Tab
  1. Click Edit for ‘Application Policies’
  1. Remove:
    1. KDC Authentication
    2. Server Authentication
    3. Smart Card Logon
  2. Click Add
  3. Click New
  4. In the Name, enter “Kerberos Client Authentication”
  5. In the Object Identifier, enter “1.3.6.1.5.2.3.4” (Delete any OID’s that are pre-populated)
  1. Click OK and OK again. Do not make the extension critical.
  1. Click OK to save your template.
  2. Go back to the Certificate Authority application
  3. Right mouse Certification Templates and Click New -> Certificate Template to Issue
  1. Select your new certificate template and Click OK

Export your Root CA Public Certificate

Follow the steps on exporting your Root CA Cert.

Creating a New Certificate Authority in Workspace ONE UEM

Follow the Steps on Creating a Certificate Authority in Workspace ONE UEM. If you followed my previous blog on creating a certificate authority you don’t need to create a new CA in UEM.

Creating a New Certificate Template in Workspace ONE UEM

  1. Click on the Request Templates Tab in Certificate Authorities (Workspace ONE UEM Administration Console, go to Devices -> Certificates -> Certificate Authorities)
  2. Click Add
  3. Provide a Name for the Template
  4. Select your Certificate Authority which you just created
  5. Enter your Issuing Template in the following format: certificatetemplate:[ADCS-TEMPLATE]. In my lab, my issuing template would be “certificatetemplate:WS1MobileSSO”.
  6. Select the Subject Name. In my environment, I’m going to use the UPN as the subject name.
  7. Select the correct private key length (per your CA settings)
  8. Select both Signing and Encryption
  9. Under SAN, add the following:
    1. Email Address -> {EmailAddress}
    2. User Principal Name -> {UserPrincipalName}
    3. DNS Name -> UDID={DeviceUid}
  1. Select Automatic Certificate Renewal
  2. Select Name Certificate Revocation
  3. Click Save

Download the KDC Certificate

  1. Log into the Workspace ONE Access Console
  2. Go to Identity & Access Management -> Identity Providers
  3. Click on your Built-in Identity Provider (this can be the default one or custom built-in provider)
  4. Scroll to the bottom and download your KDC Certificate.
  5. Click Cancel to exit.

Creating your Device Profile

  1. Click on Resources -> Profiles & Baselines -> Profiles
  2. Click Add -> Add Profile
  3. Select the Platform for this profile
  4. Depending on the platform, select Device Profile
  5. Provide a Name and Assign a Smart Group
  6. Click the Credentials Tab
  7. Select Defined Certificate Authority
  8. Select your CA
  9. Selected your Mobile SSO Template
  1. In the bottom right, there will be +/- sign, click the + sign.
  2. Click the Upload button and upload the KDC Certificate we just downloaded in the previous step.
  1. On the left, select the Single-Sign-On Tab
  2. Provide an Account Name ie. IOS Mobile SSO
  3. For Kerberos Principal Name, enter “{EnrollmentUser}”
  4. For the realm, in all caps, enter the domain where your Workspace ONE Access tenant is hosted. Some values include:
    1. VIDMPREVIEW.COM
    2. WORKSPACEONEACCESS.COM
    3. VMWAREIDENTITY.COM
  1. Scroll down to Applications. In an non-production environment I recommend you leave this blank. Once you’ve completed all your testing you can optionally add your application bundle ID’s to limit which applications are allowed to use Mobile SSO. An example why you configure this is if you want your users to use Boxer for email but not allow Outlook.
  1. Click Save and Publish
  2. At this point, you want to make sure the Certificate is deployed to the device. Sometimes this can take a while in pending state. If you receive any errors, double check all your settings.
  3. Once your certificate is on the device, verify the SAN Attributes are correct:

Verify that you EKU has the correct application policies:

Configuring Workspace ONE Access

  1. In the Workspace ONE Access administration console, go to Identity & Access Management -> Authentication Methods.
    If you previously ran the Workspace ONE UEM Wizards, the “Mobile SSO (for iOS)” Authentication Method might already be enabled. If this is already enabled, we should delete the uploaded CA’s and replace it with your Root CA Certificate from ADCS. However, if you want to leave the Workspace ONE UEM CA, you can still do that so both CA’s co-exist.
  2. Click the Pencil icon beside Certificate (cloud deployment)
  3. Click Enable
  4. Click Select File and upload your root CA Certificate.
  5. Click Save


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s