App Access & Management with VMware Workspace ONE

VMware Workspace ONE unifies VMware Identity Manager access control and application management and VMware AirWatch unified endpoint management (UEM) technology into a single platform. Available as a cloud service or for on-premises deployments, the Workspace ONE platform enables IT to deliver and manage any app on any device. [/tab][/tabs]

Office 365 Certificate Authentication with Identity Manager Overview

Certificate-based authentication for Microsoft Office 365 provides employees seamless access to email and other resources. Relying on client certificates simplifies authentication by eliminating the need for employee username and password combinations. Pair certificate-based authentication for Office 365 with VMware Workspace ONE to streamline access for Windows, Android and iOS devices.

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

Benefits of Certificate-Based Authentication

• Eliminate Brute-Force Threats: Certificate authentication replaces basic and NT LAN Manager (NTLM) authentication, eliminating the threat of password hack attacks.
• Ensure Device Compliance: Only compliant devices receive valid certificates. Therefore, requiring a valid certificate ensures the requesting device enrolled with Workspace ONE, and meets the defined corporate policies.
• Manage the Certificate Lifecycle: Automate and control the request, revoke and renewal phases of the client certificate lifecycle.
• Integrate with Public Key Infrastructure (PKI) & Managed PKI Infrastructure: Workspace ONE uses a dedicated certificate authority (CA) and certificate to avoid conflicts with an organization’s other certificate deployments.

[/tab] [/tabs]

Office 365 Certificate Authentication with Identity Manager Configuration

Before You Begin

• Office 365 domain federated with Workspace ONE
• AirWatch tenant integrated with PKI/MPKI infrastructure
• Access to root and intermediate Certificates (if applicable) for the issuing CA
• Internet-facing URLs where the Certificate Revocation Lists (CRLs) reside
• Global admin access to O365 tenant
• Windows PowerShell 2.0 or higher
• Azure AD Module for PowerShell 2.0.0.33 or higher
• Exchange ActiveSync client that supports certificate-based authentication

[/tab][/tabs]

[tabs slidertype=”simple”] [tab]

Configure Office 365 Certificate Authentication with Identity Manager

The video at the top of this post provides a how-to demonstration of Office 365 certificate authentication with Identity Manager. For step-by-step instructions of the processes covered in the video, expand the drop-down menus.

[/tab][/tabs]

[learn_more caption=”Step 1: Download the Root & Intermediate CA Certificate”]

Download Root & Intermediate CA Certificate

To configure a trusted CA in Azure, upload any applicable root and intermediate certificates for the CA issuing the user certificates.[/learn_more][learn_more caption=”Step 2: Install AzureAD PowerShell Module”]

Install Azure AD PowerShell Module

Install Azure AD PowerShell Module 2.0.0.33 or higher for use configuring the Azure AD trusted CA.

1. Run Windows PowerShell as Administrator
2. Run the following command:
   Install-Module -Name AzureAD
3. Accept any prompts to install
4. Review the command output that displays:
   • If a success message displays, proceed to the next step.
   • If an error message displays, troubleshoot before proceeding.

[/learn_more][learn_more caption=”Step 3: Configure Azure AD Trusted CA”]

Configure Azure AD Trusted CA

After installing PowerShell, use it to connect with Azure AD and configure a trusted CA. Then, validate the CA’s configuration.

1. Run Windows PowerShell as Administrator
2. Connect with Azure AD:
   Connect-Azure AD
3. Once connected, enter global admin credentials to authenticate.
4. Populate certificate variables in PowerShell:
   $cert=Get-Content -Encoding byte "[LOCATION OF THE CER FILE]"
   
   Note: If including one or more intermediate CAs in the certificate path, then add more than one trusted CA into Azure
5. Create the AzureAD CA variable:
   $new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation
$new_ca.AuthorityType=0 (1 for Intermediate CA)
$new_ca.TrustedCertificate=$cert
   
6. Configure an Azure accessible CRL endpoint:
   $new_ca.crlDistributionPoint="<CRL Distribution URL>"
   Note: If the CRL is not accessible or certificate is revoked, authentication falls back to standard flow
7. Create new AzureAD Trusted CA object in Azure:
   New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca
8. Validate Trusted CA object’s creation:
   Get-AzureADTrustedCertificateAuthority
   

[/learn_more][learn_more caption=”Step 4: Configure the Certificate Template in AirWatch”]

Configure the Certificate Template in AirWatch

After configuring the trusted CA in PowerShell, configure a template that requests client certificates in the AirWatch console.

Certificates must contain the Office 365 user principal name (UPN) to map correctly to devices. Add the Office 365 UPN as a subject alternative name (SAN) value in either the UPN or email (RFC822) field.

[/learn_more][learn_more caption= “Step 5: Create an Exchange ActiveSync Profile in AirWatch”]

Create an Exchange ActiveSync Profile in AirWatch

After creating the certificate template in the AirWatch console, create a device profile that provisions user certificates to enrolled devices.

1. Create a new device profile (in this case iOS).
2. Add a credentials payload and associate the appropriate certificate request template.
3. Use lookup values, where applicable, to configure an Exchange ActiveSync payload for Office 365:
   • Exchange ActiveSync Host: office365.com
   • Domain: User’s email domain in Office 365
   • Username: User’s Office 365 account (usually maps to user’s email address)
   • E-mail Address: User’s email address
   • Password: {Empty field}
   • Payload Certificate: Choose the certificate payload that matches what was configured in step 2.

[/learn_more][learn_more caption= “Step 6: Create Authentication Policies for Fallback Flow”]

Create Authentication Policies for Fallback Flow

In Azure, certificates created in a trusted CA, are Optional (back to IIS terminology). This means that authentication does not solely rely on certificates. In lieu of a certificate, Azure falls back to basic authentication. In turn, ActiveSync traffic falls back to the default WS-Federation active flow.

To make sure only devices with valid certificates access Exchange Online, create policies to block off authentication via basic credentials. In the Identity Manager admin catalog, navigate to the Office 365 application. Then, from the access policies menu, create policies to either block all or only allow a subset of users/clients to authenticate with basic credentials.

[/learn_more]