EUCbackup Default chapterWokspaceone UEM - ADCS integration

Wokspaceone UEM - ADCS integration

Setting up ADCS

The purpose of this lab is to integrate a Microsoft Active Directory Services Certificate Services (ADCS) with Workspaceone UEM. We will first ensure that the ADCS is setup properly and  a Certificate Authority and Certificate Template have been properly configured.

1. Connect to the Control Center and click Start > Administrative Tools then click on the Certificate Authority Service

2. Once Certsrv is open you can right click on the CONTROL CENTER-CA and select Properties

3. Navigate to Security tab in the pop-up window and click add

4. Now type imaservice click check names and it will auto-complete to - then click OK and it will add this user

5. Select the user that has just been added and give him the permissions below by selecting the little check boxes next to Read, Issue and Manage Certificates and Request Certificates > Click OK at the bottom of the window to confirm the addition of the services account the the Certificate Authority.

We will now enable the CA to use Subject Alternative Name on its Certificates

1. Open the command prompt and type the following command

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

2. Then you restart the service

net stop certsvc
net start certsvc


We will now configure the certificate template which will be used to request certificates against the Certificatre Authority.

1. Open the certsvc utility. Expand CONTROLCENTER-CA with the arrow on the left and then right click Certificate Templates then click on Manage

2. The Certificates Template Console should now be open scroll to the User template and right-click.

3. Select Duplicate Template now the Properties of New Template will open up

4. In the first tab Compatibility select Windows Server 2012 R2 as the Certificate Authority and Windows 8.1 / Windows Server 2012 R2 as the Certificate Recipient

5. In the General tab write LiveFire User as the name of the template display name, notice the template name adjusts automatically to the same value with no spaces

6. Set the validity period to 1 month and the renwal period to 2 weeks. Click Apply at the bottom

7. Select the Request Handeling tab. Leave everything as default here. The purpose should be Signature and encryption and the "Allow private key to be exported" should be checked. This is required for iOS

8. Now select the Subject Name tab and select supply in request. This means UEM will supply the Subject Name for the certificate, if not selected the request will seem to be coming from the service account. Confirm the security pop-up by click OK.

9. Now click on the Security Tab, notice the Group or user names does not have the service account we require. Click add

10. Now type iamservice in the Enter the object name to select field and click Check Names. It should auto-complete to IMA Service ( click OK

11. Now selet the account IMA Service and give it the Enroll permission by clicking the check box in the Persmissions for IMA Service box

12. Now click OK to close the Properties of New Template windows.

1. Go back to the Certsrv and navigate to Certificate Templates under ControlCenter-CA.

2. Right click Certificate Templates and click New > Certificates Template to Issue

3. On the "Enable Certificates Templates" windows navigate to the LiveFire User templates we created in the instructions above. Click OK to select template

Setting up WS1 UEM & ADCS

You will now have to setup the WorkspaceOne UEM console to request Certificates to this certificate template on behalf of the use.

1. Open the UEM console by navigating to > Authenticate using your e-mail address and password.

2. Now navigate to the Groups & Setting in the bottom left of the browser and select All Settings

3. The Settings panel will open, now under System select Enterprise Integration > Certificate Authorities

4. Click ADD  and type the following to establish a connection to the CA. NOTE: this connection to the CA is via the ACC.

Name: Control Center

Authority Type: Microsoft ADCS

Server Host Name:


Authentication: Service Account

Username: imaservice

Password: VMware1!


5. In the Certificate Template fill the following fields:

Name: LiveFireUser (No Spaces)

Certificate Authority: Control Center

Issuing Template : LiveFireUser

Subject Name: CN={DeviceUid}

Private Key Length: 2048

Private Key Type: Signing & Encryption

Automatic Certificate Renewal: Enable

Enable Certificate Revocation: Check

Publish Private Key: DISABLED

Click SAVE


You must now create a credential payload profile in order to distribute the certificates to the devices.

1. Close out of the settings in the UEM console and select Devices > Profiles & Resources > Profiles  >

2. In the Profiles page click ADD > Add Profile

3. Select the operating system you have previously enrolled (iOS, Android or Windows)

4. in the New Profile Wizard in the General tab name the profile udid_cert

In the Smart Group field assign the profile to your Organization Group

5. Navigate to the credentials payload and select Defined Certificate Authority , Control Center , and LiveFireUser as the certificate template

6. Click SAVE & PUBLISH > Notice you will now have the enrolled device showing as the device assignment.

7. Click PUBLISH to finalise the profile creation process.


Verify the device has received the certificate:

1. in the UEM console navigate to Devices > List View > select the device you have just pushed the profile to.

2. In the Details view of the device select the Profiles tab and notice there is a green check mark next to the credentials profile we have just deployed.

3. Additionally you can navigate to the Devices > Certificates > List View   where you will see the certificate that has been issues to the device

4. You will see that you can click the checkbox on the certificate and Revoke & Renew this certificate. This is incredibly powerful as the UEM console can also manage the lifecycle of the user & device certificates.

5. You will noticed that you have the certificate also available locally on your device to view under the settings > device management options. (This depends on the platform)



Add your comment

E-Mail me when someone replies to this comment