Create and deploy the Apple iOS device profile in AirWatch to push the Identity Provider settings to the device. This profile contains the information necessary for the device to connect to the VMware Identity Provider and the certificate that the device uses to authenticate.

Built-in Kerberos configured in Identity Manager.

VMware Identity Manager KDC server root certificate file saved to a computer that can be accessed from the AirWatch admin console.

Certificate enabled and downloaded from the AirWatch admin console System > Enterprise Integration > VMware Identity Manager page.

List of URLs and application bundle IDs that use Built-in Kerberos authentication on iOS devices.


In the AirWatch admin console, navigate to Devices > Profiles > ListView > Add Profile and select Apple IOS.


Configure the profile’s General settings and enter the name of the device as iOSKerberos.


In the left navigation pane, select SCEP > Configure to configure the credential.



Credential Source

Select AirWatch Certificate Authority from the drop-down menu.

Certificate Authority

Select the AirWatch Certificate Authority from the drop-down menu.

Certificate Template

Select Single Sign On to set the type of certificate that is issued by the AirWatch Certificate Authority.


Click Credentials > Configure and create a second credential.


In the Credential Source drop-down menu, select Upload.


Enter the iOS Kerberos credential name.


Click Upload to upload the VMware Identity Manager KDC server root certificate that is downloaded from the Identity & Access Management > Manage > Identity Providers > Built-in Identity provider page.


In the left navigation pane, select Single Sign-On.


Enter the Connection information.



Account Name

Enter Kerberos.

Kerberos Principal Name

Click + and select {EnrollmentUser}.


Enter the realm name you used when you initialized KDC in the VMware Identity Manager appliance. For example, EXAMPLE.COM.

Renewal Certificate

Select Certificate#1 from the drop-down menu.

URL Prefixes

Enter the URL prefixes that must match to use this account for Kerberos authentication over HTTP.

Enter the VMware Identity Manager server URL as


Enter the list of application identities that are allowed to use this sign-in. To perform single sign-on using iOS built-in Safari browser, enter the first application bundle ID as Continue to enter application bundle IDs. The applications listed must support SAML authentication


Click Save & Publish.

When the iOS profile is successfully pushed to users's devices, users can sign-on to VMware Identity Manager using the Built-in Kerberos authentication method without entering their credentials.

Create another profile to configure any other desired features for iOS Kerberos, for example Web Clips to create icons for Web Apps that you push from AirWatch to iOS device home pages or the app catalog.