How to Setup EAP-TLS with Workspace One

SecureW2 has helped all kinds of customers, from SMBs to educational institutions transition to certificates. The benefits of certificate-based authentication far exceed that of passwords in terms of user experience and security. Certificates eliminate over-the-air credential theft and do away with password-change policies, decreasing the amount of support tickets due to password-related disconnects. The end user only needs to enter their credentials once, download a certificate, and the device is set for life.

SecureW2’s world-renowned PKI services allows both managed devices and BYODs to be easily authenticated and configured to the main network. Customers can create a SCEP Gateway and configure their MDMs, like Workspace One Powered By AirWatch, to send out payloads to all managed devices, automatically configuring them for 802.1x and equipping them with a certificate. What’s amazing about SecureW2’s PKI is how it’s able to work with all major RADIUS servers and APs, so you can keep your current infrastructure. Below is a brief overview of how to integrate our PKI with Workspace One, with a more in-depth guide further down.

Tech Overview

    1. Configuring the SecureW2 Managed Device Gateway API
      • SecureW2’s PKI allows you to easily enroll certificates on your Workspace One devices by setting up a SCEP gateway.
      • Using a trusted CA, which SecureW2 offers, you can configure the payload to distribute authenticated certificates onto Workspace One devices.
    2. Configuring the SCEP profile
      • The SecureW2 API token wizard allows you to configure the SCEP profile by generating a shared secret and access token.
      • The shared secret and access token can generate a SCEP URL which will start enrolling certificates when added to Workspace One.
    3. Configuring the Wi-Fi profile
      • Configure the appropriate Wi-Fi settings so the certificate will automatically connect to the right server.
      • Using the SCEP-enrolled certificate, the device can be authenticated with EAP-TLS.
    4. Pushing certificates to Workspace One devices
      • The SCEP URL can be added to Workspace One devices so the SCEP gateway can distribute certificates.
      • With the certificates equipped onto the Workspace One devices and EAP-TLS authenticated, there is no need for manual configuration and the security risk it poses.


The following are the prerequisites for setting up Simple Certificate Enrollment Protocol (SCEP) on Workspace One Powered By AirWatch:

  • End users can enroll their device with Workspace One.
  • Certificate for Apple push notifications has been created and uploaded in Workspace One.


Generating SCEP URL and Secret

To generate the SCEP URL and secret, perform the following steps:

  1. Log into the SecureW2 Management Portal.
  2. Navigate to Identity Management -> API Tokens.
  3. Click Add API Token -> New. The following screen appears:
  4. Enter Name and select SCEP Enrollment Token from the Type drop-down list and click Save.
  5. A csv file containing the SCEP and secret is downloaded.

Generating the SCEP API Token

NOTE: Save this file securely. This file is downloaded only once at the time of token creation. If lost, the token and secret cannot be retrieved.

You can also refer to the steps mentioned in the section Configuring API Tokens (SCEP Enrollment Token) in the JoinNow MultiOS and Connector Configuration Guide for your reference.


Creating New Intermediate CA for SCEP Gateway Integration

As a best practice, we recommend having a new intermediate CA for JoinNow, SCEP Gateway integration with Workspace One. With this in place, emails triggered from SecureW2 JoinNow can be disabled when the certificate expires.

To add a new intermediate CA, perform the following steps:

  1. Log into SecureW2 Management Portal.
  2. Navigate to PKI Management -> Certificate Authority -> Add Certificate Authority.
  3. Under Basic, select Intermediate CA from the Type drop-down list.
  4. In the Common Name field, enter a name of your choice and click Save. This generates the new intermediate CA


Creating User Role

To a role policy, perform the following steps:

  1. Navigate to Policy Management -> User Roles -> Add Roles Policy.
  2. In the Basic tab, enter the Name and Description for the role policy in the fields provided.
  3. Click Save. The page will refresh and display the Conditions tab.
  4. Under Identity Providers, select the SCEP Token you created in “Generating SCEP URL and Secret” on page 107 from the drop-down list.

Creating the Role policy to be distributed to users


Creating Enrollment Policy

To add an enrollment policy, perform the following steps:

  1. Navigate to Policy Management -> Enrollment -> Add Enrollment Policy.
  2. In the Basic tab, enter the Name and Description for the enrollment policy in the fields provided.
  3. Click Save. The page will refresh and display the Conditions tab.
  4. Select the user role policy created in “Creating User Role” on page 109. Both User and Device role policies are required for enrollment.
  5. Under Settings -> Use Certificate Authority, select the CA created in “Creating New Intermediate CA for SCEP Gateway Integration” on page 108.

NOTE: A fallback device policy can be used to allow enrollment based on the User Policy only.


Setting Up Certificate Enrollment via SCEP on Workspace One

Perform the following steps to set up the Certificate Enrollment via SCEP on Workspace One:

Create a Certificate Authority on the Workspace One MDM Portal:

  1. Login to the Workspace One MDM Portal.
  2. Navigate to Devices -> Certificates -> Certificate Authorities.
  3. Click Add to create a new Certificate Authority.
  4. Enter a Name and Description.
  5. Select Generic SCEP from the Authority Type.
  6. Enter the SCEP server URL from the downloaded csv file.
  7. Select Static as the Challenge Type.
  8. Enter the Secret from the downloaded csv file.
  9. Click on Save to save the Certificate Authority.

Creating the certificate authority that will store the certificate used

Create a Certificate Template:

  1. Go to Devices -> Certificates -> Certificate Authorities -> Request Templates.
  2. Click Add to create a new Certificate Template.
  3. Enter a Name and Description for the template.
  4. Provide the CA created earlier under Certificate Authority.
  5. Select the Common Name of the certificate from the drop-down list. For example, the email address of the user.
  6. Enter the Length of the Private Key.

Configuring the certificate template to be used by Airwatch devices

Create a Profile:

  1. Navigate to Devices -> Profiles & Resources -> Profiles.
  2. Click Add and select the Operating System. In this example, a profile for Android is created.
  3. Enter the Name for the profile.
  4. Click on Credentials and click Configure.
  5. Select Defined Certificate Authority in Credential Source.
  6. Select the newly created Certificate Authority from the Certificate Authority Menu.
  7. Select the newly created Certificate Template from the Certificate Template menu.
  8. Save & Publish to complete the profile.

Identify the source of certificates

With the final save click, the setup is complete. The organization can utilize the SCEP gateway and integrate with Workspace One to distribute certificates without admins having to manually configure devices themselves or worse, relying on end users. The configuration profile initiates the enrollment process on the device and it automatically enrolls and connects to the secure network. Configuring the necessary components is straightforward and the organization will benefit from the security and efficiency perks that certificate-security brings to the network.

AirWatch is registered trademark of VMware in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.