Workspace One UEM

Your favourite guide to configuring UEM (AirWatch)

Windows 10

Windows 10

Use Cases

Use Cases!

Windows 10 OOBE

Blog Windows 10 OOBE

<Format xmlns=”syncml:metinf”>chr</Format>

<Format xmlns=”syncml:metinf”>chr</Format>




Windows 10

Windows 10 Azure OOBE, Okta as IdP


Enrolling into Workspace One UEM using Okta as the IdP is a great way to leverage your existing identity solution, whilst adding Workspace One to check device trust and add management.

1 -This article presumes the following:

  • You’ve connected Workspace One UEM to vIDM. If not, follow this guide.
  • You’ve added Okta as a IdP within vIDM. If not, follow this guide.
  • Azure has been configured, users have synced, the AirWatch application added and federated to either Okta or vIDM. If not, follow this guide.

The flow for this type of enrollment is as follows:

  1. User types Azure username
  2. Azure sends user to organisation sign-in page. In this example, this is Workspace One (vIDM) with Okta added as a 3rd paty IdP
  3. User logins in with AD username and password that’s synced into Okta
  4. This then SSO’s into Workspace One UEM (AirWatch) for the enrollment
  5. User is then prompted for the custom terms of use, set within Workspace One UEM.
  6. User is then prompted with the standard Windows privacy and terms options
  7. User is then prompted to verify user account, this is done through text message in this example.
  8. User is then prompted for a PIN
  9. Workspace One Agent is then pushed to device
  10. The device is automatically enrolled into Workspace One UEM
  11. Scripts, applications, Bitlocker and certificates are installed on the machine

Bear in mind, some aspects of this video have been sped up for demoing purposes.

Console Configurations

Console Configurations

Workspace One UEM - Azure SAML integration

Azure SAML into Workspace ONE UEM

This article has been updated to match the new Azure admin portal – ENJOY!

Workspace One UEM allows for a whole number of different ways to authenticate when enrolling new devices. The majority of organisations will always choose to integrate with their on-premise AD through the use of the Could Connector, this component allows for user group sync, integration to on premise certificate authorities and to pull user attributes from Active Directory. All these features allow for a very stream lined enrollment and the ability to integrate with a whole number of different corporate resources.


For a lot of new organisations, that may not already have a large on-premise foot print, cloud directories are far more favourable. They’ll skip the need and high cost for internal equipment when they can easily spin up new tenants on whatever identity/directory service they choose.

An ever increasing solution is Azure Active Directory online only, with no on-premise directory sync (though Azure AD Connect). Leveraging this cloud directory type, allows users to authenticate into Workspace One UEM using SAML, this creates the user within the console and allows the user to enroll their devices.

Setting this up can be complicated and detailed instructions can be hard to find. Don’t worry, the EUCSE’s got your back!

Add Azure Application:

1 .Go to the Azure portal by clicking the following link:

2. Once logged in, select “Azure Active Directory” on the left-hand side of the portal

3. Select the Enterprise Applications section in the panel on the left and then select the “+New Application” button at the top.

4. Select ‘Non Gallery Application’ and give it a name. This will enable you to setup the SAML integration.

5. Select ‘Add’ – Be patient, this can take a few seconds. The bell icon in the top bar will display whats happening with the app. You’ll then automatically be re-directed to the app configuration screen when it’s completed.

Configure Azure Application

  1. You should then see the above display. An overview of the new app.
  2. Now click on point 2. ‘Set up single sign on’
  3. You’ll then be asked what method of single sign on you require.

4. Select SAML and you’ll be shown the following screen.

5. Scroll down to point 3 and hit download on ‘Federation Metadata XML’ – We’ll now need to upload this into Workspace ONE UEM.

Workspace One UEM Configuration

  1. Open your console, go to Groups & Settings -> All Settings -> System -> Enterprise Integration -> Directory Services
  2. Change “Directory Type” to “none” and save the page at the bottom.
  3. Scroll back up and enable “Use SAML for Authentication”
  4. Enable “Use new SAML Authentication Endpoint”
  5. Under SAML 2.0 you can upload the XML you just saved from the Azure App and select Upload next to Import Identity Provider Settings

6. Now scroll to the bottom and save. The imported XML settings will be applied only after saving the Directory Services page. The Identity Provider ID and the SAML information should now be populated from the federation XML you just uploaded.

Directory Services Configuration 

1 – Now scroll down and make sure that the request binding and response are both set to ‘Post’ and hit save.

2-Previously we would have needed to manually add the assertion URLs into Azure but we can do this automatigically now! Scroll down to the bottom of the directory page in UEM and click’Export Service Provider Settings’ – We’ll use this shortly to finish the Azure App configuration.

3. Now we need to update the user attribute section. Select the User tab at the top and change the user attributes and Base DN as seen in the screenshot below:

Final Azure App Configuration

1-Make sure you’re on the ‘Single Sign-on’ page of your app and click on ‘Upload metadata file’

2- This should essentially complete the final section of your Azure app. Uploading the metadata should fill all the response URL’s required.


SAML Authentication Test

  1. Get a hold of any device type
  2. Download the Workspace One Intelligent Hub application
  3. Select Server Details on the Agent page (if you have AutoDiscovery you can select email instead)
  4. Enter your environment URL along with your group id where you configured Azure SAML Authentication.
  5. You should now be re-directed to the Azure logon page. Once here enter in the credentials for a user in Azure.

You can also test this from a computer by navigating to:

You should then be forwarded to a Microsoft login page

Console Configurations

Windows 10 OOBE and Office 365 SSO


Console Configurations

Workspace One – Enabling Certificate Based Access – Windows 10/mac

Enabling the Certificate Authentication for web-based access to Workspace ONE on Windows and macOS

This post is designed to walkthrough configuration and implementation of the Certificate Authentication adapter for Workspace One, enabling Windows/macOS devices to SSO into Workspace One using user certificates.

In this setup we will be using certificated generated by the corporate Microsoft Certificate Authority, using Active Directory Certificate Services.

  1. Log into your server that runs the Microsoft Certificate Authority.
  2. Open the Certification Authority, and right- click Certificate Templates, and select Manage.

    3. Scroll down to the User template, right-click and select Duplicate Template.

    4. Select the General tab, and provide a name for the template.

    Template Display Name (Example): EUCSE-User

5. Select the Subject Name tab, and select the button to Supply in request.

Click OK when the prompt appears.

6. Click Ok

7. Go back to the Certification Authority. Under Certificate Templates, right-click and select New ->Certificate Template to Issue.

8. Select the template created in Steps 4-6 and click OK.

9. On the same server, launch MMC. Go to File ->Add/Remove Snap-In.

10.Add in the Certificates snap-in, ensure you select for the Computer Account and click OK.

11. Browse to Certificates (Local Computer) -> Trusted Root Certificate Authorities􏰀 Certificates.

Right-click the root certificate for the CA, and select Open.

12. Click on the Details tab, and click Copy to File….

13. Click Next at the Certificate Export Wizard window.

14.Select Base-64 encoded X.509 as the format and click Next.

15. Click Browse to add in a file path for the certificate export, and click Next.

16. Click Finish – Ensure the export was successful. Click OK.

17. Transfer the exported certificate to your local machine.

18. Log into the AirWatch Console.

19. In the OG where Directory Services is enabled, go to Groups and Settings->All Settings->System ->Enterprise Integration->Certificate Authorities.

20. Under the Certificate Authorities tab, click Add.

21. Provide the configuration items for the Certificate Authority.

Name: Certificate Authority Name Authority Type: Microsoft ADCS Protocol: ADCS
Server Hostname: FQDN of the Certificate Authority

Authority Name: Name of the Certification Authority in MMC
Authentication: Service Account Username: Domain account to request certificates

Password: Password for username above

Click Test Connection. Confirm that the test is successful.

22.Click Save.

23. Select the Request Templates tab, and click Add.

24. Provide the following configuration items in the Request Template.

Name: Request Template Name Certification Authority: Name of the Authority configured in Step 12.
Issuing Template: Name of the certificate template in AD CS

Subject Name: CN={EnrollmentUser} Private Key Type: Signing, Encryption
San Type:
User Principal Name􏰀{UserPrincipalName} DNS Name􏰀UDID={DeviceUid}

Enable Certificate Revocation: Checked Click Save.

25. Log into the VMware Identity Manager administration console.

26.Go to Identity & Access Management -> Authentication Methods.

27. Select the Certificate (Cloud Deployment).

28. Click the checkbox to Enable Certificate Adapter.

Click Select File and upload the root certificate downloaded in Step 17.

29. Click Save to update the authentication adapter.

30. Select the Built-in Identity Provider and enabled Certificate (Cloud deployment).

31. Go to Identity & Access Management ->Policies.

32. Select the default_access_policy_set policy and click edit.

33.Under Policy Rules, modify the existing Web Browser policy by clicking the authentication method.

34.Click Save on the default_access_policy_set policy.

Validate Access to Workspace ONE using a Web Browser on a device with a managed certificate


1.Log into the Workspace One UEM console.

2.Go to Add ->Profile, and select Windows ->Windows Desktop -> User Profile.

3. Fill out the details in the General tab, and ensure that the profile is applied to a Smart Group.

4. Click Configure the Credentials payload, and configure the credential to the following:

Credential Source: Defined Certificate Authority
Certificate Authority: Name of CA defined in above, Step 21

Certificate Template: Name of Template defined above, Step 24

Certificate Store: Personal Store Location: User

5. Click Save and Publish, then Publish the profile.

6. Enroll a Windows 10 device into the Workspace One UEM environment.

7.In Workspace One UEM, validate that the profile created in Steps 2-5 has been successfully installed and reported to the console.

8.On the Windows 10 device, launch MMC and add in the Certificates snap-in for My User account.

9. Browse to Certificates – Current User->Personal -> Certificates.

Validate that the enrolled user certificate is present here, signed by the Enterprise CA. This certificate has been delivered to the device by AirWatch through that profile.

10. Launch Edge on the Windows 10 device. Type in the URL of the VMware Identity Manager tenant.

Click Next.

11. When prompted, click OK to confirm the certificate being presented to the web browser.

NOTE: There is a setting in Internet Options to remove this prompt if one certificate is being presented for authentication to the browser.

12. The session will be redirected to, and then to the VMware Identity Manager tenant.

Confirm access to the Workspace ONE web portal is granted without having to type in a username/password.

This authentication was completed using the Certificate (cloud deployment) adapter.

Console Configurations

Windows 10 – Set Background and Lock Screen CSP

A default requirement from any organisation will be to add some level of customised appearance to their desktop infrastructure. Within Workspace One UEM we have the ability to easily push out custom XML that will do just that!

Create a new profile within the Workspace One UEM console for a Windows Desktop machine and select device profile.

Now all we need to do is name the profile, assign it and add the custom XML:

The last payload on the left, provides us the ability to pass custom settings directly to the Windows 10 OMA client on the device. This opens the door to apply an extensive set of CSP configurations that can be found on the Microsoft website.

To set the background and the lock screen we need to add our custom XML.

As you can see, the ‘Install Settings’ replace the current configuration on the device and the ‘Remove Settings’ does the opposite, it deletes the settings that we’ve pushed out.

My example XML will set the background and lock screen after the user logs off and logs back in:

<Format xmlns=”syncml:metinf”>chr</Format>

<Format xmlns=”syncml:metinf”>chr</Format>

Console Configurations

Chrome SSO on macOS with Workspace ONE

So, you’ve enabled Workspace ONE for your organisation, you’re on your way to End User Nirvana. Theres just one thing in your way, the Username and Password field! Workspace ONE is great at becoming a one stop shop for all Web, Native and Virtual Applications, leaving your users with just one password to remember. But… what if that could be a thing of the past! On a Workspace ONE Managed Device (macOS or Windows 10), your users can simply open their Browser of Choice (except Firefox, we’ll cover that later), et voilà . Logged in without a second thought.


  • Workspace ONE Identity Manager
  • Workspace ONE UEM Console
  • A Certificate Authority configured within Workspace ONE UEM to issue user certificates

macOS – Chrome

To enable the selection of the User certificate within Chrome, we need to configure the AutoSelectCertificateForUrls policy. This can be achieved with the below Custom XML. Points to change:

  • pattern: the CAS URL for your Identity Manager tenant. In this example, its
  • filter: The ISSUER: should be the Issuer name of your CA. Something like “Company Issuing CA“.

Leave everything else default.

            <string>Google Chrome Settings</string>

Extra! Windows 10 – Chrome

Details provided by the Legendary Charlie Hodge EUCSE Blog 

Further Resources

WorkspaceONE UEM Integration with Microsoft ADCS via DCOM ​Chrome troubleshooting: chrome://policy

IDM– Activity Reports

Console Configurations

Enable Workspace ONE Intelligent Hub for SaaS and Native Apps

If you’ve upgraded to Workspace ONE UEM 18.10 and you have anybody enrolled with the AirWatch Agent, you wont fail to see the new Intelligent Hub app and Hub Services configuration.

Intelligent Hub is an overhaul of the AirWatch Agent to deliver a full Unified App Catalog features, allowing the Hub to be the one stop shop for users to access any app on any device. The app also allows Administrators to deliver notifications to end users.

If you are an end to end Workspace ONE user, integrating UEM (Unified Endpoint Management, powered by AirWatch) with VMware Identity Manager, you’ll probably want to deliver your SaaS Apps as well as Native applications.

To do this you’ll need to enable the following:

In Workspace ONE UEM

  1. Head to Hub Configuration under Settings.
  2. Click Hub Configuration and click Launch (If Identity Manager isn’t integrated, you’ll be given a step by step to complete this). NOTE: Cloud hosted Identity Manager is required for both UEM Native and IDM SaaS Application presentation within the Hub application. 
  3. Select the features you want to enable in the Hub application. Branding changes can also be configured from here.