--- title: Configuring Workspace ONE UEM for PingID description: To manage the PingID app using Workspace ONE UEM (formerly known as AirWatch), you must apply several configuration settings. component: pingid page_id: pingid:pingid_service_management:pid_configuring_workspace_one_uem canonical_url: http://docs.pingidentity.com/pingid/pingid_service_management/pid_configuring_workspace_one_uem.html revdate: January 25, 2024 section_ids: ongoing-maintenance: Ongoing maintenance installing-an-apns-certificate-for-ios-in-workspace-one-uem: Installing an APNs certificate for iOS in Workspace ONE UEM about-this-task: About this task steps: Steps configuring-android-for-work-for-workspace-one-uem: Configuring Android for Work for Workspace ONE UEM about-this-task-2: About this task steps-2: Steps configuring-workspace-one-uem-for-pingid-mdm-integration: Configuring Workspace ONE UEM for PingID MDM integration about-this-task-3: About this task steps-3: Steps result: Result: result-2: Result: updating-a-pingid-token-in-workspace-one-uem: Updating a PingID token in Workspace ONE UEM about-this-task-4: About this task steps-4: Steps --- # Configuring Workspace ONE UEM for PingID To manage the PingID app using Workspace ONE UEM (formerly known as AirWatch), you must apply several configuration settings. The initial Workspace ONE UEM configuration comprises the following: 1. [Installing an APNs certificate for iOS in Workspace ONE UEM](pid_installing_apns_certificate_ios_workspace_one_uem.html) 2. [Configuring Android for Work for Workspace ONE UEM](pid_configuring_android_work_for_workspace_one_uem.html) 3. [Configuring Workspace ONE UEM for PingID MDM integration](pid_configuring_workspace_one_uem_for_mdm_integration.html) ## Ongoing maintenance As part of MDM maintenance activities, new tokens for the PingID app can be generated and old tokens revoked. For more information, see the following topics: * In PingID: * [Adding a new MDM token](pid_adding_new_mdm_token.html) * [Revoking an MDM token](pid_revoking_an_mdm_token.html) * [Rotating MDM tokens](pid_rotating_mdm_tokens.html) * In Workspace ONE UEM: * [Updating a PingID token in Workspace ONE UEM](pid_updating_token_workspace_one_uem.html) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The previous configuration steps are for use cases where PingID MFA authenticating devices are managed by the Workspace ONE UEM MDM. In cases where PingFederate is used to apply policies on accessing devices managed by Workspace ONE UEM, see [Workspace ONE UEM Integration Kit](http://docs.pingidentity.com/integrations/workspaceone-uem/pf_workspaceone_uem_ik.html). | ## Installing an APNs certificate for iOS in Workspace ONE UEM Install an Apple Push Notification service (APNs) certificate in Workspace ONE UEM. ### About this task To support iOS devices, an Apple mobile device management (MDM) certificate must be installed in the organization's MDM. ### Steps 1. In the Workspace ONE UEM admin console, download an APNS certificate signing request (CSR). 1. Go to **Settings → Apple → APNs for MDM**. 2. Click **Generate New Certificate**. ![Screen capture of the APNs For MDM section with Generate New Certificate highlighted.](_images/kcf1564020706262.png) 3. Click **MDM\_APNsRequest.plist**. 4. Click **Go To Apple**. ![Screen capture of the APNs For MDM section with MDM APNsRequest.plist and Go To apple highlighted.](_images/dsg1564020707197.png) 2. Sign on to the Apple Push Certificates Portal. ![Screen capture of the Apple Push Certificates Portal.](_images/agx1564020687838.png) 3. Click **Create a Certificate** on either the **Get Started** window or the **Certificates for Third-party Servers** window. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If your organization does not yet have any Apple Push Certificates, the **Get Started** section is displayed. Otherwise, the **Certificates** list view window is displayed.![Screen capture of the Get Started window with Create a Certificate highlighted.](_images/dqb1564020689783.png) | 4. To browse for the CSR file created earlier, click **Choose File**, and then click **Upload**. ![Screen capture of the Create a New Push Certificate window with Choose File highlighted.](_images/ydc1564020690628.png) 5. Click **Download**. ![Screen capture of the Certificates for Third-Party Servers section with Download highlighted.](_images/cix1564020691914.png) 6. Upload the APNs certificate in Workspace ONE UEM. 1. Go to **Devices & Users → Apple → APNs for MDM**. ![Screen capture of the APNs for MDM window with Save highlighted.](_images/kvp1564020708193.png) 7. Click **Save**. ## Configuring Android for Work for Workspace ONE UEM Configure Android for Work for the organization's mobile device management (MDM) so the PingID app configuration can be pushed to Android devices. ### About this task | | | | - | ----------------------------------------------------------------------------------------------------------------------------------- | | | This is an example configuration of Android for Work with G Suite. Android for Work can also be configured for MDM without G Suite. | ### Steps 1. In Workspace ONE UEM, go to **Settings → Devices & Users → Android → Android For Work**. ![Screen capture of the Devices & Users section with the Android For Work option highlighted.](_images/wln1564020709569.png) 2. Click **Click here**. The browser redirects to G Suite, and on completion of the configuration, returns to Workspace ONE UEM. ![Screen capture of the Android For Work section with 'If you are deploying G Suite, Click here' highlighted.](_images/uwo1564020710345.png) 3. In Workspace ONE UEM, in the **Android For Work** window, click **Configure**, and fill in the required details. ![Screen capture of Android For Work showing multiple required fields for Google Admin Console Settings, such as Domain, Enterprise Token, and Google Admin Email Address, and for Google Developer Console Settings, such as Client ID, Google Service Account Email Address, and Certificate ID.](_images/wvd1564020711140.png) ## Configuring Workspace ONE UEM for PingID MDM integration Configure PingID as a mobile device management (MDM) managed app in Workspace ONE UEM (formerly known as AirWatch). ### About this task | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The procedure detailed here is the iOS example for the configuration of Workspace ONE UEM for PingID MDM integration. The procedure for Android is identical. If the organization's MDM manages both iOS and Android devices, configure and save the entire procedure separately for each platform. | ### Steps 1. In the Workspace ONE UEM admin console, go to **Apps & Books → Applications → List View** 2. On the **Public** tab, click **Add application**. ![Screen capture of the Public tab with the Add Application button highlighted.](_images/hvf1564020712278.png) 3. From the **Platform** list, select **Apple iOS**. ![Screen capture of the Add Application window with the Platform list displayed. Platform options include Apple iOS, Android, Windows Phone, and Windows Desktop.](_images/wab1564020713184.png) 4. In **Source** field, click **Search App Store**. ![Screen capture of the Add Application window showing the Source field. The Source field has two options: Search App Store and Enter URL. The Search App Store option is selected.](_images/gbb1564020713915.png) 5. In **Name** field, enter `PingID`. 6. Click **Next**. 7. In the mobile app store, for the PingID mobile app, click **Select**. ![Screen capture of the mobile app store with Select highlighted for the PingID mobile app.](_images/vzn1564020714594.png) #### Result: The PingID mobile app's details are displayed in the **Details** tab. ![Screen capture of the Detials tab.](_images/cfy1564020715594.png) 8. Click the **Assignment** tab. 9. Go to the **Policies** section. ![Screen capture of the Assignment tab with the Polices section highlighted.](_images/nec1564020716356.png) 10. In the **Send Application Configuration** field, click **Enabled**. #### Result: The **Application Configuration** section displays.![Screen capture of the Assignment tab with the Application Configuration input fields displayed.](_images/mbv1564020717486.png) 11. In the **Application Configuration** section, enter the following parameter values. | Parameter | Value | | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Configuration Key** | `PINGID_MDM_TOKEN`. For iOS, the value PINGID\_MDM\_TOKEN must be entered manually. For Android, the value PINGID\_MDM\_TOKEN is prepopulated. | | **Value Type** | `STRING` | | **Configuration value** | The token string value for MDM, as generated in the PingID admin web configuration page. | 12. In the **Make app MDM Managed If User Installed** field, click **Enabled**. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------- | | | This option transitions a non-managed app downloaded from the app store to a managed app. The user must approve it on their device. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * For Apple devices earlier than iOS 9 and Android devices Users must execute the following steps: 1. Unpair the PingID mobile app on the iOS device. 2. Uninstall the PingID mobile app from the iOS device. 3. Reinstall the PingID mobile app, from the MDM's app catalog. 4. Pair the newly installed, MDM managed PingID mobile app. * For Apple devices with iOS 9 and later The user receives a notification on their device to approve the transition to MDM management. After user approval, the PingID mobile app installed on the iOS device is managed by the MDM. | 13. Click **Save & Publish**. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Repeat the entire configuration process for Android. The prerequisite to the Android app configuration is [Configuring Android for Work for Workspace ONE UEM](pid_configuring_android_work_for_workspace_one_uem.html). | ## Updating a PingID token in Workspace ONE UEM Update the token PingID managed app in Workspace ONE UEM for iOS. ### About this task | | | | - | ------------------------------------------------------------------------------ | | | You must configure and save the entire procedure separately for each platform. | ### Steps 1. In the Workspace ONE UEM admin console, go to **Apps & Books → Applications → List View**. 2. On the **Public** tab, select the **PingID iOS** app to edit, and then click the **Pencil** icon. ![Screen capture of the Public tab with the Pencil icon for the PingID iOS app highlighted.](_images/pgb1564020720155.png) 3. Click the **Assignment** tab. ![Screen capture of the Assignments tab with the Polices section and required fields highlighted.](_images/cag1564020721051.png) 4. Go to the **Policies** section. 5. In the **Application Configuration** section, enter the following parameter values. | Parameter | Value | | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Configuration Key** | `PINGID_MDM_TOKEN`. For iOS, the value PINGID\_MDM\_TOKEN must be entered manually. For Android, the value PINGID\_MDM\_TOKEN is prepopulated. | | **Value Type** | `STRING` | | **Configuration value** | The token string value for MDM, as generated in the PingID admin web configuration page. | 6. Click **Save & publish**. | | | | - | -------------------------------------- | | | Repeat the entire process for Android. |