Overview
The enrollment certificate is an SSL certificate used by mobile devices to enroll into Workspace ONE Assist system, formerly called Advanced Remote Management (ARM). The current enrollment certificate deployed on VMware Advanced Remote Management systems up to version 5.1.1 for all On-Premises deployments expires on September 6, 2019. If the certificate is not updated, new devices will not be able to enroll into the VMware Advanced Remote Management system after September 6, 2019 but existing devices that are already enrolled into the system will function normally.
Customer Impact
If you are currently running Workspace ONE Assist on a Cloud instance or version 5.2 On-Premises you do not need to do anything and may discard this document. If you are running Advanced Remote Management up to version 5.1.1 on-premise system, you must deploy the new enrollment certificate prior to September 6, 2019 or upgrade your environment to Workspace ONE Assist version 5.2.
This document outlines the procedure to install the new enrollment certificate.
In order to install the new certificate, you will need to use the VMware Advanced Remote Management Certificate Update Tool v1.2.
Configuring the new enrollment Certificate
- Download the new Advanced Remote Management Enrollment Certificate Tool and extract the contents
- Execute the ARMEnrollmentCertUpdate.exe as an administrator
- Provide the required information:
ARM Server URL (Tenant URL)
Admin Web Portal Username and Password
Admin URL- For single node: Admin URL is
http://localhost:<appropriate port number
> - For multi-node: Admin URL is
http://admin.controlplane.aetherpal.internal:<appropriate port number>
- For single node: Admin URL is
- Provide the required information:
- Click Submit
- Select both the Configure and Cert options
- In the Install Path enter the path to the MgmtServices\App_Data folder.
Example:C:\inetpub\wwwroot\AetherPal\MgmtServices\App_Data
C:\Program Files\AetherPal\MgmtServices\App_Data
- Ensure that the Assign permission checkbox is checked, select MgmtWebSite in order to grant permissions to the MgmtWebSite application pool for the new enrollment certificate, and click Process
- Note: This step is only required if the Advanced Remote Management deployment is a multi-node environment.
- Download and extract the enrollment certificate on the Connection Proxy (CP) server and Install the certificate manually
- Navigate to Start > Run > mmc
- Then click File > Add/Remove Snap-In
- Under Available snap-ins, select Certificates and click Add
- Select Computer Account for the certificates to manage then click Next
- Select Local Computer and click Finish
- Click OK to return to the management console
- On the left side, expand and right-click Certificates (Local Computer) > Personal > Certificates.
- In the Certificate Import Wizard click Next
- Click Browse
- Locate the new enrollment certificate and click Open
- Return to the Wizard and click Next
- Leave the populated default values, enter the enrollment certificate password and click Next to proceed
Note: The provided zip file contains additional information along with the certificate password. - Make sure that the certificate will be placed in the Personal certificate store and click Next
- Verify the final screen and click Finish to complete the installation
- You will now see the new certificate in the console with the following details:
Issued To: AirWatch
Expiration Date: 10/3/2021
- To verify that the certificate update was successful, log into the Admin Web Portal
- Under Tenant Configuration, verify that the parameter
:ctl.sec.certs/client/pkoid/pkoi
is updated with1/2
- Under DefaultServiceConfiguration, verify the parameter
ctl.sec.certs/thumbprint/1/2
is updated properly. - Log into the Workspace ONE portal and perform an end to end remote management session. You may need to restart IIS and ARM (AetherPal) services on the Workspace ONE Assist server.
- Under Tenant Configuration, verify that the parameter
Support Contact Information
To receive support or provide feedback, either submit a ticket via the My Workspace ONE portal or call your local support line.
Best Regards,
The VMware Workspace ONE Team
0 Comments