VMware Workspace ONE Integration
Deploy WPA-Enterprise WiFi profiles and EAP-TLS certificates to managed iOS, Android, Windows, macOS, and Chrome OS devices using VMware Workspace ONE UEM (Unified Endpoint Management) with SCEP integration.
Overview
The VMware Workspace ONE integration enables:
- Multi-platform WiFi deployment across all major platforms
- Certificate-based authentication (EAP-TLS) via SCEP
- Unified endpoint management with single console
- Conditional access based on device compliance
- Zero-touch deployment with automated provisioning
Supported Platforms
| Platform | WiFi Profiles | Certificates | Management Level |
|---|---|---|---|
| iOS/iPadOS | ✓ Full support | ✓ SCEP | Supervised and non-supervised |
| Android | ✓ Full support | ✓ SCEP | Work profile, Fully managed |
| Windows 10/11 | ✓ Full support | ✓ SCEP | Corporate and BYOD |
| macOS | ✓ Full support | ✓ SCEP | Corporate and BYOD |
| Chrome OS | ✓ Limited | ✓ Manual | Browser extension required |
| Linux | ✓ Limited | ✓ Manual | Agent-based |
Prerequisites
- IronWifi account with WPA-Enterprise configured
- VMware Workspace ONE UEM subscription
- Workspace ONE Console access (Administrator role)
- Devices enrolled in Workspace ONE
- IronWifi SCEP service enabled
Architecture Overview
Managed Device → Workspace ONE UEM → WiFi Profile → IronWifi RADIUS
↓
SCEP Proxy → IronWifi SCEP → Certificate
IronWifi SCEP Configuration
Step 1: Enable SCEP Service
- Log in to IronWifi Console
- Navigate to Account > PKI Infrastructure
- Enable SCEP service
- Configure certificate settings:
- Key Size: 2048-bit or 4096-bit
- Validity Period: 365 days (recommended)
- Subject Format:
CN={DeviceID}orCN={Username} - Subject Alt Name: DNS, Email, or UPN
- Note your SCEP URL:
https://scep.ironwifi.com/your-org
Step 2: Configure SCEP Challenge
Static Challenge (Simple):
- Set a single challenge password
- Use for all enrollments
- Store securely in Workspace ONE
Dynamic Challenge (Advanced):
- Generate unique challenge per device
- Enhanced security
- Requires API integration
Step 3: Download Root Certificate
- In PKI settings, download Root CA certificate
- Save in PEM or DER format
- Upload to Workspace ONE for trust chain
Workspace ONE Console Configuration
Step 1: Upload Root CA Certificate
- Log in to Workspace ONE UEM Console
- Navigate to Resources > Certificates > List View
- Click Upload > CA Certificate
- Upload IronWifi root CA certificate
- Configure:
- Name: IronWifi Root CA
- Category: Certificate Authority
- Allow User Trust: Yes (for iOS/macOS)
- Click Save
Step 2: Create SCEP Profile
- Go to Resources > Profiles & Baselines > Profiles
- Click Add > Add Profile
- Select platform (iOS, Android, Windows, macOS)
- Choose Device Profile or User Profile
Step 3: Configure SCEP Payload
General Settings:
- Profile Name: IronWifi SCEP Certificate
- Description: WiFi authentication certificate
- Assignment Type: Auto, Optional, or Mandatory
SCEP Payload:
- Add Credentials payload
- Select SCEP as credential source
- Configure SCEP settings:
| Setting | Value |
|---|---|
| SCEP URL | https://scep.ironwifi.com/your-org/pkiclient.exe |
| Name | IronWifi Device Certificate |
| Subject | CN={DeviceUid} or CN={EnrollmentUser} |
| Subject Alt Name | DNS:{DeviceUid} or RFC822Name:{EmailAddress} |
| Key Size | 2048 |
| Key Usage | Digital Signature, Key Encipherment |
| Challenge Type | Static or Dynamic |
| Challenge Password | {Your challenge from IronWifi} |
| Certificate Authority | IronWifi Root CA (uploaded above) |
| Retries | 3 |
| Retry Delay | 10 seconds |
| Key is Extractable | No (recommended) |
Step 4: Create WiFi Profile
- In the same or separate profile
- Add WiFi payload
- Configure network settings:
Basic Settings:
- SSID: Your secure network name
- Hidden Network: Yes/No
- Auto Join: Enable
- Security Type: WPA2/WPA3 Enterprise
- Protocol: 802.1X
802.1X Settings:
- EAP Type: EAP-TLS (for certificate authentication)
- Identity: Certificate (use SCEP payload)
- Use Per-Connection Password: No
- Trusted Certificates: IronWifi Root CA
- Trusted Server Names: radius.ironwifi.com (or your RADIUS server)
- Inner Authentication: None (for EAP-TLS)
Alternative: PEAP-MSCHAPv2
- EAP Type: PEAP
- Inner Authentication: MSCHAPv2
- Username:
{EnrollmentUser}or{EmailAddress} - Password: Use Identity Certificate or prompt
Step 5: Assign Profile to Smart Groups
- Click Assignment tab
- Add Assignment Groups:
- Assigned Groups: Select smart groups or organization groups
- Exclude Groups: Exclude if needed
- Set deployment options:
- Push Mode: Auto (install automatically)
- Removal: Remove on unenrollment
Step 6: Publish Profile
- Review all settings
- Click Save & Publish
- Profile deploys to assigned devices
- Monitor deployment status
Platform-Specific Configuration
iOS/iPadOS
Supervised Devices:
Additional capabilities available:
- Force WiFi profile (cannot be removed)
- Network selection priority
- Disable MAC address randomization
- Captive network handling
SCEP Profile Settings:
- Allow all apps to access: No
- Allow export from keychain: No
- Use as Digital Signature: Yes
- Use for Key Encipherment: Yes
WiFi Profile Settings:
- Enable IPSec: Optional
- Setup modes: System, Login Window, System + Login Window
- Priority: Set to preferred network
Android Enterprise
Fully Managed Devices:
Full control over device WiFi settings
System-wide WiFi profile application
Prevent user modification of WiFi settings
Work Profile:
WiFi profile scoped to work profile
Personal profile uses separate WiFi
May require separate credentials
Configuration:
- WiFi Hidden Network: Configure hidden SSID behavior
- Proxy: Configure proxy settings if needed
- IP Settings: DHCP or Static
- Connection Priority: Auto-connect priority level
Windows 10/11
Domain-Joined:
Integration with Active Directory
Computer certificate authentication
Pre-login WiFi access
BYOD:
User certificate authentication
Limited to user session
Profile per user
Workspace ONE Tunnel (Optional):
- Per-app VPN with WiFi
- Split tunneling configuration
- Conditional access enforcement
Native WiFi Profile:
- Connection Type: ESS (Infrastructure)
- Authentication: WPA2/WPA3-Enterprise
- Encryption: AES
- Single Sign On: Enable for seamless auth
- FIPS Mode: Enable if required
macOS
Configuration Similar to iOS:
- User vs System: Choose authentication level
- Login Window: Enable for pre-login WiFi
- Auto Join: Enable preferred network
- Keychain: Certificate stored in System Keychain
System Extensions:
- May require Network Extension approval
- Configure System Extensions policy
- User approval may be needed
Chrome OS
Limited Support:
- Use Chrome OS Browser Extension
- Configure via Enterprise policy
- Manual certificate import may be needed
- Consider Google Admin Console for full support
Certificate Management
Certificate Lifecycle
1. Enrollment:
Device receives profile → SCEP request → Certificate issued
↓
Certificate stored in secure storage
↓
WiFi authenticates with certificate
2. Renewal:
- Configure renewal threshold (e.g., 30 days before expiry)
- Automatic SCEP renewal via Workspace ONE
- Monitor renewal success in UEM Console
3. Revocation:
- Device unenrolled → Certificate marked for revocation
- Revoke in IronWifi Console
- Certificate added to CRL
- Device cannot authenticate
Certificate Templates
Create reusable SCEP templates:
-
Employee Certificate Template
- Validity: 365 days
- Subject:
CN={EnrollmentUser} - Key Size: 2048
- Auto-renewal: 30 days before expiry
-
Device Certificate Template
- Validity: 730 days
- Subject:
CN={DeviceUid} - Key Size: 2048
- Auto-renewal: 60 days before expiry
-
Contractor Certificate Template
- Validity: 90 days
- Subject:
CN={EmailAddress} - Key Size: 2048
- Auto-renewal: Disabled
Smart Groups and Targeting
Organization Groups (OG)
Hierarchical structure for management:
Company Root
├── Corporate Devices
│ ├── Executives
│ ├── Sales Team
│ └── IT Department
├── BYOD Devices
│ ├── iOS Devices
│ └── Android Devices
└── Contractors
Smart Groups
Dynamic groups based on criteria:
1. Platform-Based:
- iOS Devices:
Platform = iOS - Android Corporate:
Platform = Android AND Ownership = Corporate
2. Compliance-Based:
- Compliant Devices:
Compliance Status = Compliant - Non-Compliant:
Compliance Status = Non-Compliant
3. User-Based:
- Specific departments:
User Group = Engineering - Locations:
Location = Headquarters
4. Custom Attributes:
- VIP Users:
Custom Attribute = VIP - Specific device models:
Model = iPhone 14 Pro
Conditional Access
Compliance Policies
Create compliance requirements:
Device Compliance:
- Navigate to Devices > Compliance Policies
- Create policy with rules:
- OS Version: Minimum required
- Encryption: Required
- Jailbreak/Root: Not allowed
- Passcode: Required
- Non-compliant action: Block WiFi profile deployment
Integration with IronWifi
RADIUS Attributes:
- Pass compliance status as RADIUS attribute
- IronWifi checks compliance before auth
- Non-compliant devices denied or placed in guest VLAN
Directory Services:
- Sync Workspace ONE groups to IronWifi
- Use group membership for RADIUS policies
- Dynamic VLAN assignment based on group
Deployment Strategies
1. Staged Rollout
Stage 1: IT Pilot (Week 1)
- Deploy to IT team (50-100 devices)
- Test all platforms and scenarios
- Gather feedback and refine
Stage 2: Department Pilot (Week 2-3)
- Roll out to one or two departments
- Monitor for issues
- Provide user support
Stage 3: Company-Wide (Week 4+)
- Deploy to all assigned groups
- Monitor compliance and connectivity
- Iterate based on metrics
2. Zero-Touch Provisioning
iOS (Apple DEP/ABM):
- Devices purchased through Apple Business Manager
- Assigned to Workspace ONE
- User activates device
- Workspace ONE enrolls automatically
- WiFi profile installs immediately
Android (Zero-Touch Enrollment):
- Purchase from zero-touch reseller
- Assign to Workspace ONE configuration
- Device powers on, enrolls automatically
- WiFi configures without user action
Windows (Autopilot):
- Register devices in Autopilot
- Link to Workspace ONE
- User signs in with work account
- Device enrolls and configures WiFi
3. Self-Service Enrollment
Workspace ONE Intelligent Hub:
- User installs Intelligent Hub app
- Enters enrollment credentials
- Accepts device management
- WiFi profile installs automatically
User Experience:
- Minimal user interaction required
- WiFi "just works" after enrollment
- Self-service troubleshooting via Hub
Advanced Features
Workspace ONE Intelligence
Analytics:
- WiFi connectivity metrics
- Authentication success rates
- Certificate deployment status
- User experience scoring
Automation:
- Auto-remediation for failed profiles
- Proactive certificate renewal
- Automated compliance checks
Reporting:
- Custom dashboards
- Executive reports
- Trend analysis
Workspace ONE Access
Identity Integration:
- Single sign-on to WiFi
- Multi-factor authentication
- Conditional access policies
- User behavior analytics
Integration with IronWifi:
- Configure Workspace ONE Access as SAML IdP
- IronWifi uses Access for authentication
- Seamless user experience
- Enhanced security
Workspace ONE Assist
Remote Support:
- Remote troubleshooting of WiFi issues
- View device network settings
- Push profile updates remotely
- Real-time diagnostics
Monitoring and Troubleshooting
Workspace ONE Console Monitoring
Dashboard Widgets:
-
Certificate Deployment Status
- Successful: X devices
- Pending: Y devices
- Failed: Z devices
-
WiFi Profile Compliance
- Profile installed: X%
- Pending install: Y%
- Failed: Z%
-
Network Connectivity
- Connected devices: X
- Last seen: Timestamp
- Connection duration: Hours
IronWifi Monitoring
Authentication Logs:
- Navigate to Reports > Authentication
- Filter by:
- Certificate-based auth
- Success/failure status
- Device type
- Time range
- Export for analysis
Certificate Status:
- View issued certificates
- Monitor expiration dates
- Track renewal status
- Identify revoked certificates
Troubleshooting Common Issues
1. Certificate Not Deploying
Symptoms:
- SCEP payload shows failed status
- Certificate not in device keychain
- Error in Workspace ONE logs
Resolution:
- Verify SCEP URL is accessible from device
- Check challenge password is correct
- Review firewall rules (allow HTTPS to SCEP endpoint)
- Validate certificate template settings
- Check device connectivity to internet
- Review detailed error logs in UEM Console
2. WiFi Not Connecting
Symptoms:
- Certificate installed but WiFi fails
- Authentication rejected by RADIUS
- Intermittent connectivity
Resolution:
- Verify certificate is valid (not expired)
- Check SSID and security settings match
- Confirm RADIUS server is reachable
- Review trusted server names configuration
- Check IronWifi authentication logs for errors
- Test with manual WiFi configuration
3. Profile Installation Fails
Symptoms:
- Profile stuck in "Pending" status
- Installation error on device
- Profile not appearing
Resolution:
- Check device enrollment status
- Verify device is in assigned smart group
- Review assignment rules and exclusions
- Force device check-in
- Check for conflicting profiles
- Review device-side error logs
4. iOS Trust Issues
Symptoms:
- "Certificate not trusted" error
- Manual trust prompt appears
- WiFi connection fails with cert error
Resolution:
- Install root CA certificate in separate profile
- Mark CA certificate as trusted for WiFi
- Deploy CA profile before SCEP profile
- For supervised devices, force trust
- Verify certificate chain is complete
5. Android Work Profile Issues
Symptoms:
- WiFi only works in work apps
- Personal apps cannot access WiFi
- Profile conflicts
Resolution:
- Verify profile is assigned to work profile
- Check if system-wide WiFi is intended
- For fully managed, use device-wide profile
- Review Android Enterprise enrollment type
- Check work profile status
Diagnostic Tools
Workspace ONE Console Tools:
- Device Timeline: View all device events
- Logs: Download detailed logs
- Command: Send diagnostic commands
- Samples: Collect device diagnostics
Device-Side Tools:
- Workspace ONE Intelligent Hub: View profile status
- Device Settings: Check certificate installation
- Network Diagnostics: Test connectivity
- Console Logs: Review system logs
Security Best Practices
1. Certificate Security
Recommendations:
- Use 2048-bit minimum key size (4096-bit for high security)
- Set appropriate validity periods (365 days standard)
- Disable certificate export from keychain
- Enable certificate revocation checking
- Rotate CA certificates periodically
- Use hardware-backed keystores where available
2. Profile Security
Settings:
- Mark profiles as non-removable (supervised iOS)
- Encrypt profile payloads in transit
- Use device-level profiles when possible
- Require passcode for profile installation
- Enable tamper detection
3. Network Security
Configuration:
- Use WPA3-Enterprise where supported
- Require certificate validation
- Configure trusted server names
- Implement RADIUS accounting
- Use VLAN segmentation
- Monitor for rogue access points
4. Access Control
Policies:
- Implement least privilege access
- Use compliance-based conditional access
- Require MFA for sensitive groups
- Regularly audit profile assignments
- Review and rotate credentials
- Log all administrative actions
5. Data Protection
Measures:
- Encrypt WiFi credentials in profiles
- Use separate profiles for different security zones
- Implement data loss prevention policies
- Enable remote wipe capabilities
- Regular security audits
Multi-Tenancy and MSP Use Cases
Managed Service Provider (MSP) Setup
Multi-Tenant Architecture:
MSP Workspace ONE Tenant
├── Customer A Organization Group
│ └── IronWifi RADIUS for Customer A
├── Customer B Organization Group
│ └── IronWifi RADIUS for Customer B
└── Customer C Organization Group
└── IronWifi RADIUS for Customer C
Configuration:
- Create separate OGs per customer
- Configure unique SCEP URLs per customer
- Isolated WiFi profiles per customer
- Separate smart groups and policies
- Customer-specific reporting
Best Practices:
- Use naming conventions (e.g., "CustomerA_WiFi")
- Document configurations per customer
- Separate admin roles per customer
- Regular compliance audits
- Automated reporting per customer
Cost Considerations
Workspace ONE Licensing
| Edition | Features | Best For |
|---|---|---|
| Workspace ONE Standard | Basic UEM, Email, VPN | Small business |
| Workspace ONE Advanced | +Intelligence, Automation | Enterprise |
| Workspace ONE Enterprise | +Access, Assist, Carbon Black | Large enterprise |
IronWifi Costs
- SCEP Service: May require add-on subscription
- API Access: Included in standard plans
- RADIUS Infrastructure: Based on locations/users
- Support: Standard vs. Premium support
Total Cost of Ownership
Factors:
- Per-device licensing (Workspace ONE)
- Infrastructure (RADIUS servers)
- Administrative overhead
- Support and training
- Certificate management
ROI Considerations:
- Reduced helpdesk tickets
- Improved security posture
- Automated provisioning savings
- Reduced password-related incidents
- Compliance benefits
Migration Strategies
From Manual WiFi Configuration
Migration Plan:
-
Assessment (Week 1)
- Document current WiFi settings
- Identify all SSIDs in use
- List device inventory
-
Pilot Setup (Week 2-3)
- Configure Workspace ONE profiles
- Test with pilot group
- Gather feedback
-
Rollout (Week 4+)
- Deploy profiles to all users
- Provide migration instructions
- Sunset manual configurations
User Communication:
- Notify users of upcoming change
- Provide migration date and process
- Offer support during transition
- FAQ document for common issues
From Another MDM
Migration Steps:
-
Parallel Setup
- Configure Workspace ONE alongside existing MDM
- Test profile parity
- Validate certificate deployment
-
Device Migration
- Unenroll from old MDM
- Enroll in Workspace ONE
- Verify WiFi connectivity
-
Cutover
- Scheduled maintenance window
- Migrate users in batches
- Monitor for issues
- Provide support
Data Considerations:
- Export device inventory from old MDM
- Map policies to Workspace ONE equivalent
- Backup existing configurations
- Plan for certificate reissuance
Integration with Other Systems
Directory Services
Active Directory:
- Sync users and groups from AD
- Use AD credentials for WiFi (PEAP)
- GPO integration for Windows devices
Azure AD:
- SSO via Azure AD
- Conditional Access policies
- Dynamic group membership
LDAP:
- Custom LDAP directory integration
- Attribute-based policies
- Group-based access control
Identity Providers
SAML Integration:
- Workspace ONE Access as IdP
- Third-party IdP (Okta, OneLogin)
- SSO for captive portal
OAuth/OIDC:
- Modern authentication protocols
- Mobile app authentication
- API access control
SIEM and Logging
Log Export:
- Forward Workspace ONE logs to SIEM
- IronWifi authentication logs to SIEM
- Correlation for security analytics
Supported SIEM:
- Splunk
- LogRhythm
- ArcSight
- QRadar
- Azure Sentinel
Compliance and Audit
Compliance Frameworks
Supported Standards:
- HIPAA: Healthcare data protection
- PCI DSS: Payment card security
- SOX: Financial reporting
- GDPR: Data privacy
- NIST: Cybersecurity framework
Workspace ONE Features:
- Compliance policies enforcement
- Audit logging
- Certificate tracking
- Device attestation
- Automated reporting
Audit Reports
Available Reports:
-
Device Compliance Report
- Compliant vs. non-compliant devices
- Compliance trend over time
- Non-compliance reasons
-
Certificate Report
- Issued certificates
- Expiration dates
- Renewal status
- Revoked certificates
-
Profile Deployment Report
- Installation success rate
- Pending installations
- Failures with reasons
- Removal tracking
-
Authentication Report (from IronWifi)
- Successful authentications
- Failed attempts
- User/device activity
- Network access logs
Support Resources
VMware Resources
- Workspace ONE Documentation
- Workspace ONE Community
- Workspace ONE Tech Zone
- VMware Knowledge Base
- VMware Support Portal
IronWifi Resources
- SCEP Configuration Guide
- User Management
- Group Policies
- IronWifi Support: support@ironwifi.com
Training
- VMware Workspace ONE certification courses
- IronWifi implementation webinars
- Partner training programs
- YouTube tutorials and walkthroughs