SSO and MAG Proxy behavior expectations with AirWatch SDK 16.10.2 for Android

SDK 16.10.2 SSO Behavior

Due to updates to the SSO behavior with AirWatch SDK 16.10.2, apps that are developed using this version of the SDK should expect the following behavior:

  1. If Single Sign On is enabled in the AirWatch Console under Settings > Apps > Settings And Policies > Security Policies, then any applications built using AirWatch SDK 16.10.2 will not be able to share a passcode with any AirWatch apps, or apps built using previous versions of the AirWatch SDK. Users will be prompted to create a new passcode to be used for apps built specifically using AirWatch SDK 16.10.2.
  2. If Key Encryption With User Input, is enabled under Settings > Devices & Users > Android, then the Android Agent must be unlocked after a device reboot by entering the app passcode.  If an app built using AirWatch SDK 16.10.2 is launched before the Agent is unlocked, the app will experience a crash.   

Future versions of Android applications released by AirWatch will contain updated SSO behavior that will allow a single SSO session between AirWatch apps and apps built using SDK 16.10.2, without the caveats mentioned above.


SDK 16.10.2 MAG Proxy Behavior

When an Android app using AirWatch SDK 16.10.2 attempts to proxy traffic through an AirWatch MAG, in some situations the app may experience a crash with the following error message:

          Fatal exception after this SDK method call or when Tunneling using HttpClient/webview:
          D/AirWatch: createSignedCmsWithPKC12Data() start

This error occurs in environments where the IIS configuration on the MAG Proxy server results in the MAG certificate (.p12) generated for devices to be encrypted with a non FIPS-Compliance algorithm.  The crash occurs when the app tries to use these certificates to proxy network traffic.


Rotate the P12 certificates so that they are re-generated with a FIPS compliant encryption algorithm. This is automatically handled for any new app installs and upgrades from apps that are written with the GatewaySplash Activity as the Launcher Activity.

However, upgrades from apps built using the SDKContextManager is not automatically handled and will require developers to add the below snippet of code:

          String newP12Cert = OpenSSLCryptUtil.getInstance().rotateP12AndToggleFipsOn(oldP12Cert, certPassword);
Have more questions? Submit a request


Article is closed for comments.