Bringing VMware iOS Mobile SSO to the next Level
With the recent release of Workspace ONE Access there is coming a updated Versions of Mobile SSO (now called Mobile SSO for Apple ) for iOS that uses Hub and a SSO Extension now. I want to share the Config , User Experience and how it can be used in the Field. But first let us start with looking the Pre-Reqs.
Pre-Reqs:
- Workspace ONE UEM (23.06+ has a nice GUI , but works also with older UEM Versions )
- Workspace ONE Access SaaS
- Workspace ONE Intelligent Hub for iOS 23.06+
- MDM Managed Device with iOS 13+
Workspace ONE Access Settings
First let us activate the Authentication Method in the Workspace ONE Access Admin Console. Therefore we go to “Integrations” and Select the “Authentication Methods”.
Select the “Mobile SSO ( for Apple)” and click to “Configure”
On the next Screen make sure you set “Enable Certificate Adapter” to “Yes” Upload the Root CA of your Certificate Authority (if you want to use the UEM Integrated CA check the next screen on where you can download it) and make sure you have the settings for User Identifier Search order selected correctly.
As the WS1 Internal CA does not work with the used Cert revocation URL as it is missing in the Cert, I disabled it to make sure it works. If you have your own CA with might work by default.
On the Bottom you can select the Authentication Type on the device. If you select “none” , the SSO will not ask for any additional factors. the option “biometric” will ask for TouchID, while the “biometric-passcode” option will allow Touch ID/ Face ID or Passcode.
The exact Device User experience of this setting is shown in the “Device Demo” part of this Blog.
If you use the WS1 Integrated CS you can get the Root Certificate from the UEM Console. Go to “Settings” , “Enterprise Integrations” , “Workspace ONE Access” , “Configuration” and click the Export button to get the Root CA , that needs to be uploaded to the Authentication Adapter in Access.
Now you just need to Enable the Authentication Method in the Identity Providers section in the Integrations Tab. Therefore select your IDP and tick the Box for “Mobile SSO (for Apple) “
Not we just need to Change the Policies to consume the new Authentication Policy. Go to “Resources” , “Policies” and edit your Access Policy.
Make sure you have selected the “Mobile SSO (For Apple)” selected , so it can be used to Authenticate.
With that the Workspace ONE Access configuration is finished and we just need to create the iOS Profile in Workspace ONE UEM.
Workspace ONE UEM Console Settings
Login to Workspace ONE UEM and create a new iOS Device Profile.
Click to “Resources” and Select in the Profiles and Baselines Section “Profiles” , then go to “Add” and select “Add Profile”
Select the platform “Apple iOS”
Select the “Device Profile”
Click to the “Add” for the “SCEP” and “SSO Extension” and give the Profile a Name
Specify the Certificate setting in the SCEP Payload, as I used the UEM Integrated CA select “AirWatch Certificate Authority” as the Credential Source as well as the Certificate Authority and use “Single Sign-On” as Certificate template.
For UEM 23.06 or newer you can select the “WS1 Access” and optionally you can define the App IDs that can use the SSO. If you do not add any Bundle ID it will be used for all Apps.
Note: Sometimes the Hostname is pre-filled , on other Environments not, so make sure the Host is filled out before saving the Profile. Host does not include any “/” or “https”, so jsut the Hostname of WS1 Access.
On older Versions of Workspace ONE UEM like the UEM 23.02 for example you need to go with the “Generic” Extension Type, so add the Extension Identifier to “com.air-watch.agent.SSOExtension”, set the Type to “Credential” and add the Hostname of the Access Tenant to the “Hosts” Field.
Once done just save and assign the Profile and the Device is ready for Mobile SSO (Apple)
Admin Settings Demo
In this section I created Videos of the flow above , so you can easy follow the process.
Create Profiles in Workspace ONE UEM
Export the Root CA from UEM
Setup settings in Workspace ONE Access:
Device Demo
Device Demo without User interaction:
Device Demo with Touch ID / Face ID:
Device Demo with Passcode:
Conclusion
With the new Functionality VMware is adding a additional Layer of Security to the iOS Platform with Workspace ONE Mobile SSO. It is easy to consume for customers if they have already UEM and Access in place and the users are already used to the “Silent” mode , so changes are limited.
vExpert, blogger and VMware champion. Worked 10 years as a VMware & Microsoft consultant for a partner before joining VMware in 2017.
Damian
Hi Patrick,
Great guide – I have some feedback to share:
1) Under the SCEP section, when I select “Defined Cert Authority”, I don’t see our CA in the drop down list despite being on the correct OG. We use the PKI protocol option rather than SCEP so I’m guessing this is the reason? What’s the solution in this case?
2) Under the SSO Extension, I don’t see WS1 ACCESS as an extension type and this despite us running UEM 23.6.0.21 ? Is there a specific feature flag that needs to be activated for those options to appear?
Thanks
Patrick Zoeller
Hi Damian,
1- this depends if you want to use the integrated CA and SCEP or a CA Profile with your Custom Profile. Both is working, it all depends on your settings. (You need to make sure our have the correct Root CA also uploaded on the Access side)
2- there is a FF for DDUI for iOS “DDUIForAppleProfilesFeatureFlag” as this is not enabled for Dedicated Saas by default in 23.06 UEM. It will be on by Default in 23.10 for Dedicated SaaS or VMware can enable it manually on Request.
best regards
Patrick