Do want to enable Single Sign On with Safari into Workspace ONE? Maybe you’ve followed this post or this post? In the following guide we’ll set up the macOS Identity Preference configuration to ensure when accessing your Workspace ONE platform, you are seamlessly signed on using your certificate instead of a username and password.
- Workspace ONE Identity Manager
- Workspace ONE UEM Console
- A Certificate Authority configured within Workspace ONE UEM to issue user certificates. VMware Docs here.
macOS – Safari SSO
First, set up your credentials payload to deliver a User certificate to at least one managed device. This allows us to grab the UUID of the Credential payload.
NOTE: For this next step, “Encrypt Profiles” needs to be disabled for us to obtain the UUID of the Credentials payload. Many thanks to Craig Johnston for the tip! If this is enabled, disable it and re-install the certificate profile. (Be sure to re-enable it after!)
Settings > All Settings > Devices & Users > Apple > Profiles.
- Head to Devices > Profiles & Resources > Profiles
- Find your new macOS Credentials payload.
- Click on the Installed count number, the one with a green tick.
- Pick a device, any device, and click View XML
- Select the PayloadUUID of the com.apple.security.pkcs12 Payload Type. Copy the text between <string></string> into your notepad of choice.
- See below to finishing preparing your Custom Settings.
Custom Settings Payload Prep
Now you have the PayloadUUID of the Credentials payload that’s delivering your certificates, you can use this to set the Identity Preference payload.
- Edit the Name key to the CAS url of your VMware Identity Manager tenant. Likely https://cas-aws.vmwareidentity.eu(or .com, .co.uk etc).
- Update the PayloadCertificateUUID to the value saved in the previous set of steps.
- Open your existing macOS Credentials Profile, click Add Version, select the Custom Settings payload and click Configure. Paste the XML.
<dict> <key>Name</key> <string>https://cas-aws.vmwareidentity.eu/</string> <key>PayloadCertificateUUID</key> <string>ChangeMeToYourProfileUUID</string> <key>PayloadUUID</key> <string>fd8a6b9e-0fed-406f-9571-8ec98722b711</string> <key>PayloadType</key> <string>com.apple.security.identitypreference</string> <key>PayloadDisplayName</key> <string>Identity Pref</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>com.apple.security.identitypreference</string> </dict>
Click Save and Publish, preview the changes and Publish.
Validate your Settings
When your profiles have successfully installed, you can check its set by going to the Profiles preference pane, and checking your SSO profile for an Identity Preference setting.
Congratulations! You’ve just saved all your users time every time they login to Workspace One!
You may see various issues when deploying this, main thing to check if your Profile Encryption is off when running these changes. You can re-enable this later.
If you have malformed Custom XML profile you will get Profile Install errors under Your Device > More Actions > Troubleshooting:
Feel free to drop a comment here if you have any issues deploying this solution, also if you deploy this successfully we’d really appreciate your feedback!