Do want to enable Single Sign On with Safari into Workspace ONE? Maybe you’ve followed this post or this post? In the following guide we’ll set up the macOS Identity Preference configuration to ensure when accessing your Workspace ONE platform, you are seamlessly signed on using your certificate instead of a username and password.


macOS – Safari SSO

First, set up your credentials payload to deliver a User certificate to at least one managed device. This allows us to grab the UUID of the Credential payload.

NOTE: For this next step, “Encrypt Profiles” needs to be disabled for us to obtain the UUID of the Credentials payload. Many thanks to Craig Johnston for the tip! If this is enabled, disable it and re-install the certificate profile. (Be sure to re-enable it after!)

Settings > All Settings > Devices & Users > Apple > Profiles.

  • Head to Devices > Profiles & Resources > Profiles
  • Find your new macOS Credentials payload.
  • Click on the Installed count number, the one with a green tick. 
  • Pick a device, any device, and click View XML
  • Select the PayloadUUID of the Payload Type. Copy the text between <string></string> into your notepad of choice. 
  • See below to finishing preparing your Custom Settings.

Custom Settings Payload Prep

Now you have the PayloadUUID of the Credentials payload that’s delivering your certificates, you can use this to set the Identity Preference payload.

  1. Edit the Name key to the CAS url of your VMware Identity Manager tenant. Likely .com, etc).
  2. Update the PayloadCertificateUUID to the value saved in the previous set of steps.
  3. Open your existing macOS Credentials Profile, click Add Version, select the  Custom Settings payload and click Configure. Paste the XML.
	<string>Identity Pref</string>

Our example:

Click Save and Publish, preview the changes and Publish.

Validate your Settings

When your profiles have successfully installed, you can check its set by going to the Profiles preference pane, and checking your SSO profile for an Identity Preference setting.

Congratulations! You’ve just saved all your users time every time they login to Workspace One!


You may see various issues when deploying this, main thing to check if your Profile Encryption is off when running these changes. You can re-enable this later.

If you have malformed Custom XML profile you will get Profile Install errors under Your Device > More Actions > Troubleshooting:

Feel free to drop a comment here if you have any issues deploying this solution, also if you deploy this successfully we’d really appreciate your feedback!

Spread the love