Updated AirWatch Installer flow in AirWatch 9.1 - AirWatch Signing Service

For increased security, AirWatch 9.1 introduces an updated installation process that will dynamically request an identity certificate that can be used with the AirWatch Signing Service to ensure trust with client certificates generated by various AirWatch components.  This process must be followed for every environment that is installing AirWatch 9.1+ for the first time.  After this initial install, the identity certificate is stored with the AirWatch Signing Service, allowing for more streamlined upgrades in the future.

A step-by-step guide for the new installation process is available here.

Automatic Flow

The following network requirements must be met for the automatic flow to work.  If these requirements are not met, installation can be completed using the manual flow specified in the section below.  The requirements are: 

  • Outbound access to the host signing.awmdm.com must be allowed
  • Authorization headers must be left intact

When running the AirWatch Installer for 9.1 or above, you will reach a page titled "Global Enterprise Manager (GEM)."  If your AirWatch environment is able to properly communicate with the AirWatch Signing Service, then you will see a field requesting the Installation Token as well as a link to generate the token in myAirWatch.  If your AirWatch environment does not meet the network requirements, you will not see the Installation Token field, and can continue through the installer using the process specified in the Manual Flow section.

Note: If this is an upgrade where no new certificates are required to be signed by AirWatch, you will not see the Installation Token field, and this field will not be required throughout the upgrade.

myAirWatch users that have access to the AirWatch Console installer files can navigate to the Certificate Signing portal in myAirWatch, or simply access it by selecting the link in the installer.  On this page, you can generate the Installation Token that is then used in the installer by selecting the Authorize Install option, and then Generate a Token.  As you continue through the installation process, the installer will automatically leverage the AirWatch Signing Service to generate and sign the root certificates used in the AirWatch environment.

Note that an Install Authorization token generated in myAirWatch will last for 24 hours.  After this time period, a new token must be generated.


Manual Flow

If you do not meet the network requirements specified in the Automatic Flow section, you can manually request and sign the AirWatch root certificate after the installer normally completes.  Following the normal installation flow, the AirWatch Certificate Installer will automatically launch.  Note: If for some reason it doesn't launch, you can open it manually by navigating to {airwatch_install_location}\Supplemental Software\CertInstaller\CertificateInstaller.exe.

In the AirWatch Certificate Installer, you must first specify how you have configured authentication into the AirWatch database (either using a SQL account directly, or using Windows Authentication).  Once the authentication is confirmed, you will reach a page where you can select Get File to generate a .plist file that contains a batch of certificate signing requests.  Save this file.

Navigate to the Certificate Signing portal in myAirWatch.  Select Install Authorization and then Upload A File.  Upload the .plist file generated from the installer, and then save the file that is given as a response.

Back in the AirWatch Installer, navigate to the next page, and then select the Set File option.  Select the file saved from the myAirWatch Certificate Signing portal, and then complete the installation.



Have more questions? Submit a request


Article is closed for comments.