Intelligent Hub Verify and Authenticator App (SaaS only)
Intelligent Hub Verify and Authenticator App (SaaS only):
VMware verify will be EOL from Oct 2022 and VMware Verify app will not be available in the App store. This guide is to help those who are planning to use MFA or like to migrate from VMware verify to Intelligent Hub verify or any of your favourite Authenticator apps (google authenticator, Microsoft Authenticator, etc).
For more info, please read below VMware KB article
Workspace ONE Access: VMware Verify End-Of-Life
This tutorial looks at several initial scenarios to set up Intelligent Hub Verify or Third-party Authenticator App or migrate from VMware Verify to Verify (Intelligent Hub). The scenarios listed are for SaaS customers using VMware Workspace® ONE and depending on where the customer is on their journey.
This tutorial is intended for IT administrators and product evaluators who are familiar with Workspace ONE UEM and Workspace ONE Access. Familiarity with the virtual environment, Active Directory, identity management, and directory services is assumed.
Activate Hub Services:
Activate Hub Services within the Workspace ONE UEM console. This allows you to use the catalog services inside the Intelligent Hub application. If you have not enabled Hub services, then you can follow my below blog to enable Hub services.
Activate Verify (Intelligent Hub) Authentication Method:
You must activate the Verify (Intelligent Hub) authentication method in the Workspace ONE Access admin console before you can add it to your access policy.
In the Workspace ONE Access admin console, navigate to Identity & Access Management > Authentication Methods. Click the edit icon for Verify (Intelligent Hub).
Select the check box Enable Verify (Intelligent Hub). Click Save.
Now make sure to check the box Verify (Intelligent Hub) in your Identity Providers
Edit Policy Rule in Workspace ONE Access:
Next, add the Verify (Intelligent Hub) authentication method to your access policy.
In the Workspace ONE Access admin console, navigate to Identity & Access Management > Policies and edit your Default Access Policy Set and add the authentication method to the access policy.
For apps that require multi-factor authentication (MFA), the authentication method can be added as a second factor.
Device Enrollment Policy:
Device enrolment would fail if the user has no other device enrolled. For that, you could create a policy for device enrolment and make sure to have it on top of other policies inside your Default Access Policy Set.
For Device Enrollment, select the authentication methods that you want, for example, password, third-party IdP, radius, and so on.
Authenticator App (TOTP):
WS1 Admin also has the option to use the Authenticator app (google authenticator, Microsoft Authenticator, etc) if you don’t want to use Intelligent Hub verify or like to use multiple options.
This form of 2FA is ideal for users with unmanaged devices but also works for managed device users.
In the Workspace ONE Access admin console, navigate to Authentication Methods. Click the edit icon for Authenticator App.
Now make sure to check the box Authenticator App in your Identity Providers
Edit Policy Rule in Workspace ONE Access:
Next, add the Authenticator App authentication method to your access policy.
In the Workspace ONE Access admin console, navigate to Policies and edit your Default Access Policy Set or create a new one and add the authentication method to the access policy.
Now if a user is enrolling a device first time or accessing the WS1 User portal then the user will be presented with the below screen to register Authenticator App.
Written by
Joined VMware in July 2015 as consultant and working in different BU over 6 years. Having experience in IT industry over 10 years with Masters degree in IT.