UEM Token – Workspace ONE Access
UEM Token – Workspace ONE Access Authentication Method
Issue:
When authentication mode is set to Access for Intelligent Hub and require registration token is enabled, the authentication is done by UEM and enrollment is completed. However, Access is unaware of this authentication, so Access won’t issue token to Hub. The user is prompted for username/password leading to duplicate authentication.
Solution:
The “UEM Token” authentication method allows customers to seamlessly change the source of authentication from Workspace ONE UEM to Workspace ONE Access for device enrollment of the Workspace ONE Intelligent Hub for iOS and Android.
The Intelligent Hub app coordinates between the connected Workspace ONE UEM and Workspace ONE Access to confirm the intended user and validity of the UEM enrollment token. This solves the problem of duplicate authentication and provides the most seamless transition for Workspace ONE UEM customers to Workspace ONE Access yet and does not impact existing enrolled devices.
Below is the VMware documentation link explaining in detail:
Enable UEM Token Device Enrollment Authentication Method in Workspace ONE Access
Pre-Requirements
- Workspace ONE Access (Cloud-only)
- Workspace ONE UEM version 22.10 and later
- Intelligent Hub iOS or Android versions 22.6 or later
Configuration pre-reqs:
- Hub source of authentication set to Access at Customer OG
- Enrollment with registration configured
- Access will have UEM Token auth adapter enabled
- Access policy should use Device Enrollment
Configurations Needed
On Workspace ONE UEM Admin Console
On Workspace ONE Access Admin Console
Enable the “UEM Token” auth method and enable the auth method with the Identity Provider associated to the user directory.
Edit the “Device Enrollment” policy rule in the “default_access_policy_set”.
In the “Device Enrollment” access policy rule, the UEM Token can be used as a single factor or in conjunction with a second factor such as password.
Joined VMware in July 2015 as a consultant and worked in different BU over 7 years. Having experience in the IT industry of over 10 years with a Master's degree in IT.
mahfudz
Hi,
how can we implement single sign-on using workspace one web with the login page for the internal site? looks like i cant see the documentation for integration. Can help me?
Patrick Zoeller
Hi Mahfudz,
you can use a Certificate for Authentication for example. we have shown this in a Blogpost in the past inc. Tunnel, this works also on MDM Management :
https://digitalworkspace.one/2021/12/17/byod-light-passwordless-secure-browsing/
best regards
Patrick
Mohd
I am facing same situation with on-premises UEM and Access, where users when they open the Hub (during enrollment), have to provide authentication from UEM and then asked to provide authentication from Access most likely for the Catalog. Is there any way to cancel any of these 2 authentications with on-prem setup?
Muhammad Adnan Asim
If you are using On-Prem WS1 Access, UEM token Authentication is enabled in UEM and Source of Authentication is set to WS1 Access then you do see this issue. If the source of Authentication is set to WS1 UEM then users do not face this issue. Currently, the WS1 Access cloud is the requirement to resolve this issue.
you can get more info related to that from below VMware doc link.
https://docs.vmware.com/en/VMware-Workspace-ONE-Access/services/ws1_access_authentication_cloud/GUID-F2AC16E4-DC21-4C48-B58D-010C96675B62.html
Regards,
Muhammad