Introducing the Enrollment Certificate Update Tool for VMware Advanced Remote Management


The enrollment certificate is an SSL certificate used by mobile devices to enroll into Workspace ONE Assist system, formerly called Advanced Remote Management (ARM). The current enrollment certificate deployed on VMware Advanced Remote Management systems up to version 5.1.1 for all On-Premises deployments expires on September 6, 2019. If the certificate is not updated, new devices will not be able to enroll into the VMware Advanced Remote Management system after September 6, 2019 but existing devices that are already enrolled into the system will function normally.


Customer Impact

If you are currently running Workspace ONE Assist on a Cloud instance or version 5.2 On-Premises you do not need to do anything and may discard this document. If you are running Advanced Remote Management up to version 5.1.1 on-premise system, you must deploy the new enrollment certificate prior to September 6, 2019 or upgrade your environment to Workspace ONE Assist version 5.2.

This document outlines the procedure to install the new enrollment certificate.

In order to install the new certificate, you will need to use the VMware Advanced Remote Management Certificate Update Tool v1.2.


Configuring the new enrollment Certificate

  1. Download the new Advanced Remote Management Enrollment Certificate Tool and extract the contents
  2. Execute the ARMEnrollmentCertUpdate.exe as an administrator
    1. Provide the required information:
      ARM Server URL (Tenant URL)
      Admin Web Portal Username and Password
      Admin URL
      • For single node: Admin URL is http://localhost:<appropriate port number>
      • For multi-node: Admin URL is http://admin.controlplane.aetherpal.internal:<appropriate port number>
  3. Click Submit
    1. Select both the Configure and Cert options
    2. In the Install Path enter the path to the MgmtServices\App_Data folder.
      1. C:\inetpub\wwwroot\AetherPal\MgmtServices\App_Data
      2. C:\Program Files\AetherPal\MgmtServices\App_Data
    3. Ensure that the Assign permission checkbox is checked, select MgmtWebSite in order to grant permissions to the MgmtWebSite application pool for the new enrollment certificate, and click Process
  4. Note: This step is only required if the Advanced Remote Management deployment is a multi-node environment.
    1. Download and extract the enrollment certificate on the Connection Proxy (CP) server and Install the certificate manually
    2. Navigate to StartRunmmc
    3. Then click FileAdd/Remove Snap-In
    4. Under Available snap-ins, select Certificates and click Add
    5. Select Computer Account for the certificates to manage then click Next
    6. Select Local Computer and click Finish
    7. Click OK to return to the management console
    8. On the left side, expand and right-click Certificates (Local Computer) > PersonalCertificates.
    9. In the Certificate Import Wizard click Next
    10. Click Browse
    11. Locate the new enrollment certificate and click Open
    12. Return to the Wizard and click Next
    13. Leave the populated default values, enter the enrollment certificate password and click Next to proceed
      Note: The provided zip file contains additional information along with the certificate password.
    14. Make sure that the certificate will be placed in the Personal certificate store and click Next
    15. Verify the final screen and click Finish to complete the installation
    16. You will now see the new certificate in the console with the following details:
      • Issued To: AirWatch
      • Expiration Date: 10/3/2021
  5. To verify that the certificate update was successful, log into the Admin Web Portal
    1. Under Tenant Configuration, verify that the parameter :ctl.sec.certs/client/pkoid/pkoi is updated with 1/2
    2. Under DefaultServiceConfiguration, verify the parameter ctl.sec.certs/thumbprint/1/2 is updated properly.
    3. Log into the Workspace ONE portal and perform an end to end remote management session. You may need to restart IIS and ARM (AetherPal) services on the Workspace ONE Assist server.


Support Contact Information

To receive support or provide feedback, either submit a ticket via the My Workspace ONE portal or call your local support line.


Best Regards,
The VMware Workspace ONE Team

Have more questions? Submit a request


Article is closed for comments.