Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
If your organization uses Device Compliance in your access Policies for applications in Workspace ONE Access, issues with the integration between Workspace ONE UEM and Workspace ONE Access can cause authentication to fail unexpectedly. Device Compliance also should only be used in combination with another authentication method.
Follow these steps to verify the configuration requirements for Device Compliance.
Verify Workspace ONE Access Configuration Access Policy Configuration Ensure that the Access Policy under [Identity & Access Management > Manage > Policies] used for authentication is correctly configured. Device Compliance should always be used in combination with other authentication methods in the same rule. The only authentication methods supported in conjunction with Device Compliance are Mobile SSO for iOS, Mobile SSO for Android, and Certificate (cloud deployment).For example, if the first rule in the default_access_policy requires Device Compliance, a primary authentication method such as Mobile SSO can be set in a rule: "then the user may authenticate using" - Set to Mobile SSO for iOSSelect the + symbol next to this setting"and" - Set to Device Compliance For reference, please see: Configure Compliance Checking Rules in Workspace ONE Access Workspace ONE UEM Integration Log into the Access Console and navigate to [Identity & Access Management > Setup > VMware Workspace ONE UEM]. Check the following values: Workspace ONE UEM API URL: On-Premise UEM Only: In the UEM Console, navigate to [Groups & Settings > All Settings > System > Advanced > Site URLs].Find the REST API URL value in this pageCheck that this value matches https://<RESTAPI_hostname> (REST API URL without the “/api” appended to the end) SaaS UEM: This value can be https://<UEM_login_hostname>. For example, if you browse to https://cn705.awmdm.com/AirWatch/Login to access the UEM Console, the URL would be https://cn705.awmdm.com.This value may also be the dedicated API endpoint for your environment. In most environments, the convention is https://as###.awmdm.com. Workspace ONE UEM REST API Certificate: Select Show Certificate DetailsThe Issued By field contains CN=##:<username>. This is the username of the UEM Administrator Account for the certificate.This Administrator Account may not be visible in Workspace ONE UEM. If you are able to find it under [Accounts > Administrators > List View], ensure that it has a Console Administrator role or higher at the Customer-Type Organization Group.If you are not able to find it, a SQL Query must be run to ensure that the account has Console Administrator role or higher at the Customer-Type Organization Group. In cloud-hosted environments, Workspace ONE Support can assist with this step. If necessary, create a new administrator account with Console Administator Role at the Customer-type Organization Group, export its certificate, and upload to Access. Workspace ONE UEM Admin/Enrollment API Key: In the UEM Console, navigate to [Groups & Settings > All Settings > System > Advanced > API > REST API]Make sure that these Admin and Enrollment keys in Access match key values of type Admin and Enrollment User, respectively, in this page. There may be multiple key values. Part of the key values may be obfuscated (123xx****x12xx). In these cases, it is enough to ensure the first & last characters of the keys match.If necessary, create new key values and copy to Access. Workspace ONE UEM Group ID: Make sure this matches the GroupID of the Customer-Type Organization Group at which Access is configured. In cloud-hosted environments, this will be the top Organization Group. Verify Workspace ONE UEM Configuration Log into the Workspace ONE UEM Console at the Organization Group where Access is set up (should be the top or Customer-type OG). Check the following values: Under [Groups & Settings > All Settings > System > Advanced > API > REST API], browse to the Authentication tab. Verify that Certificates is Enabled.Under [Groups & Settings > All Settings > System > Enterprise Integration > Workspace ONE Access > Configuration]: Verify that the Access tenant URL is correctVerify that the Admin Username is an active administrator account in Access