PingID Administration Guide

Configuring Workspace ONE UEM for PingID

To manage the PingID app using Workspace ONE UEM (formerly known as AirWatch), you must apply several configuration settings.

The initial Workspace ONE UEM configuration comprises the following:

  1. Installing an APNs certificate for iOS in Workspace ONE UEM

  2. Configuring Android for Work for Workspace ONE UEM

  3. Configuring Workspace ONE UEM for PingID MDM integration

Ongoing maintenance

As part of MDM maintenance activities, new tokens for the PingID app can be generated and old tokens revoked. For more information, see the following topics:

The previous configuration steps are for use cases where PingID MFA authenticating devices are managed by the Workspace ONE UEM MDM. In cases where PingFederate is used to apply policies on accessing devices managed by Workspace ONE UEM, see Workspace ONE UEM Integration Kit.

Installing an APNs certificate for iOS in Workspace ONE UEM

Install an Apple Push Notification service (APNs) certificate in Workspace ONE UEM.

About this task

To support iOS devices, an Apple mobile device management (MDM) certificate must be installed in the organization’s MDM.

Steps

  1. In the Workspace ONE UEM admin console, download an APNS certificate signing request (CSR).

    1. Go to Settings → Apple → APNs for MDM.

    2. Click Generate New Certificate.

      Screen capture of the APNs For MDM section with Generate New Certificate highlighted.

    3. Click MDM_APNsRequest.plist.

    4. Click Go To Apple.

      Screen capture of the APNs For MDM section with MDM APNsRequest.plist and Go To apple highlighted.

  2. Sign on to the Apple Push Certificates Portal.

    Screen capture of the Apple Push Certificates Portal.

  3. Click Create a Certificate on either the Get Started window or the Certificates for Third-party Servers window.

    If your organization does not yet have any Apple Push Certificates, the Get Started section is displayed. Otherwise, the Certificates list view window is displayed.Screen capture of the Get Started window with Create a Certificate highlighted.

  4. To browse for the CSR file created earlier, click Choose File, and then click Upload.

    Screen capture of the Create a New Push Certificate window with Choose File highlighted.

  5. Click Download.

    Screen capture of the Certificates for Third-Party Servers section with Download highlighted.

  6. Upload the APNs certificate in Workspace ONE UEM.

    1. Go to Devices & Users → Apple → APNs for MDM.

      Screen capture of the APNs for MDM window with Save highlighted.

  7. Click Save.

Configuring Android for Work for Workspace ONE UEM

Configure Android for Work for the organization’s mobile device management (MDM) so the PingID app configuration can be pushed to Android devices.

About this task

This is an example configuration of Android for Work with G Suite. Android for Work can also be configured for MDM without G Suite.

Steps

  1. In Workspace ONE UEM, go to Settings → Devices & Users → Android → Android For Work.

    Screen capture of the Devices & Users section with the Android For Work option highlighted.

  2. Click Click here.

    The browser redirects to G Suite, and on completion of the configuration, returns to Workspace ONE UEM.

    Screen capture of the Android For Work section with 'If you are deploying G Suite, Click here' highlighted.

  3. In Workspace ONE UEM, in the Android For Work window, click Configure, and fill in the required details.

    Screen capture of Android For Work showing multiple required fields for Google Admin Console Settings, such as Domain, Enterprise Token, and Google Admin Email Address, and for Google Developer Console Settings, such as Client ID, Google Service Account Email Address, and Certificate ID.

Configuring Workspace ONE UEM for PingID MDM integration

Configure PingID as a mobile device management (MDM) managed app in Workspace ONE UEM (formerly known as AirWatch).

About this task

The procedure detailed here is the iOS example for the configuration of Workspace ONE UEM for PingID MDM integration. The procedure for Android is identical. If the organization’s MDM manages both iOS and Android devices, configure and save the entire procedure separately for each platform.

Steps

  1. In the Workspace ONE UEM admin console, go to Apps & Books → Applications → List View

  2. On the Public tab, click Add application.

    Screen capture of the Public tab with the Add Application button highlighted.

  3. From the Platform list, select Apple iOS.

    Screen capture of the Add Application window with the Platform list displayed. Platform options include Apple iOS, Android, Windows Phone, and Windows Desktop.

  4. In Source field, click Search App Store.

    Screen capture of the Add Application window showing the Source field. The Source field has two options: Search App Store and Enter URL. The Search App Store option is selected.

  5. In Name field, enter PingID.

  6. Click Next.

  7. In the mobile app store, for the PingID mobile app, click Select.

    Screen capture of the mobile app store with Select highlighted for the PingID mobile app.

    Result:

    The PingID mobile app’s details are displayed in the Details tab.

    Screen capture of the Detials tab.

  8. Click the Assignment tab.

  9. Go to the Policies section.

    Screen capture of the Assignment tab with the Polices section highlighted.

  10. In the Send Application Configuration field, click Enabled.

    Result:

    The Application Configuration section displays.Screen capture of the Assignment tab with the Application Configuration input fields displayed.

  11. In the Application Configuration section, enter the following parameter values.

    Parameter Value

    Configuration Key

    PINGID_MDM_TOKEN.

    • For iOS, the value PINGID_MDM_TOKEN must be entered manually.

    • For Android, the value PINGID_MDM_TOKEN is prepopulated.

    Value Type

    STRING

    Configuration value

    The token string value for MDM, as generated in the PingID admin web configuration page.

  12. In the Make app MDM Managed If User Installed field, click Enabled.

    This option transitions a non-managed app downloaded from the app store to a managed app. The user must approve it on their device.
    For Apple devices earlier than iOS 9 and Android devices

    Users must execute the following steps:

    1. Unpair the PingID mobile app on the iOS device.

    2. Uninstall the PingID mobile app from the iOS device.

    3. Reinstall the PingID mobile app, from the MDM’s app catalog.

    4. Pair the newly installed, MDM managed PingID mobile app.

    For Apple devices with iOS 9 and later

    The user receives a notification on their device to approve the transition to MDM management. After user approval, the PingID mobile app installed on the iOS device is managed by the MDM.

  13. Click Save & Publish.

    Repeat the entire configuration process for Android. The prerequisite to the Android app configuration is Configuring Android for Work for Workspace ONE UEM.

Updating a PingID token in Workspace ONE UEM

Update the token PingID managed app in Workspace ONE UEM for iOS.

About this task

You must configure and save the entire procedure separately for each platform.

Steps

  1. In the Workspace ONE UEM admin console, go to Apps & Books → Applications → List View.

  2. On the Public tab, select the PingID iOS app to edit, and then click the Pencil icon.

    Screen capture of the Public tab with the Pencil icon for the PingID iOS app highlighted.

  3. Click the Assignment tab.

    Screen capture of the Assignments tab with the Polices section and required fields highlighted.

  4. Go to the Policies section.

  5. In the Application Configuration section, enter the following parameter values.

    Parameter Value

    Configuration Key

    PINGID_MDM_TOKEN.

    • For iOS, the value PINGID_MDM_TOKEN must be entered manually.

    • For Android, the value PINGID_MDM_TOKEN is prepopulated.

    Value Type

    STRING

    Configuration value

    The token string value for MDM, as generated in the PingID admin web configuration page.

  6. Click Save & publish.

    Repeat the entire process for Android.