Robert Terakedis
Read More from the Author

Senior Technical Marketing Manager, End User Computing, VMware.
Robert is currently in his fifth year at VMware where he’s a Senior Technical Marketing Manager for all things Apple and Workspace ONE. He has over 16 years experience in the IT Industry, with roles spanning Enterprise Mobility solutions, Microsoft technologies, storage and network infrastructure. He is based out of Atlanta, Georgia and contributes regularly to VMware’s TechZone and EUC Blog and the MacAdmins.

Managing Identity Preferences to Streamline Single Sign-On for macOS

February 05, 2019

Does anyone love getting prompts? How many of your end-users know what a certificate is? Why is my web browser prompting for a certificate? Which one should I choose? These are all valid questions when an organization deploys certificates to enable Single Sign-on. I’ve been surprised to see how many folks don’t know certificate prompts can be avoided in macOS. What is the secret sauce? The Identity Preference Payload mentioned in the Configuration Profile Reference.

Multiple Prompts for Certificates without Identity Preferences
Figure 1 - Multiple Prompts for Certificates without Identity Preferences

Prerequisites

In the context of this blog post, I'm making a few assumptions to illustrate the functionality:

  1. An admin has a certificate authority and template configured per Workspace ONE UEM Integration with Microsoft ADCS via DCOM.
  2. VMware Identity Manager's authentication method "Certificate (Cloud)" configured to trust certificates issued by the ADCS root certificate authority.

Configuring Safari Identity Preferences

macOS Certificate Payload
Figure 2 - macOS Certificate Payload

Configuring Identity Preferences for Safari takes a small amount of wizardry. The Configuration Profile Reference notes that the preference is set using the UUID of the MDM Profile Payload containing the certificate (e.g. the PayloadCertificateUUID). Unfortunately, admins don't know the UUID ahead of time as it gets randomly generated when they save the profile in the Workspace ONE UEM console. This means building this preference payload is a two-step process: generate the PayloadCertificateUUID, and add the Custom Settings XML that sets the identity preference using the PayloadCertificateUUID. Here's where to get started with the Safari Identity Preference:

  1. In the Workspace ONE UEM console, click Add > Profile > macOS > User Profile.
  2. Enter a Name for the profile (such as "Safari Identity Preference") and choose an assignment group consisting of a single test computer.
  3. Click the Credentials payload and click Configure.
  4. Choose the Defined Certificate Authority as the credential source, and choose the appropriate Certificate Authority and Request Template.
  5. Check the box to Allow access to all applications.
  6. Click Save and Publish, then click Publish.

Determine the PayloadCertificateUUID

Profiles Show Command Output
Figure 3 - Profiles Show Command Output

With the profile published and installed on the single test device, admins can obtain the payload UUID. While the profile payload may contain different information on each device, the Payload UUID will remain the same. Workspace ONE UEM does not generate a new Payload UUID unique to each individual device that receives the profile. Rather, the UUID is unique once per payload. Using this UUID, we can build the Custom XML dictionary that actually sets the identity preference.

  1. On the test device, open Terminal.app and type profiles show
  2. In the output of the command, find the line where the attribute name matches the profile name (in Figure 3, it was johndoe[6] attribute: name: Safari Identity Preferences/V_2)
  3. In the rest of the lines beginning with the same profile identifier (such as johndoe[6] in Figure 3 example), look for the payload[1] uuid line (in Figure 3, it was johndoe[6]    payload[1] uuid  = 9b5ee490-d68f-4983-b807-d7b866434be8)
  4. Copy the payload UUID  (9b5ee490-d68f-4983-b807-d7b866434be8 in Figure 3).

Modify Identity Preference Profile XML

Custom Settings XML
Figure 4 - Custom Settings XML for Identity Preference

Before adding the custom XML below (also shown in Figure 4) to the existing identity profile, admins must make minor changes within the XML.  

  1. Ensure the Name string includes the DNS Hostname where macOS should automatically supply the certificate for authentication. In the Figure 4 example, I've specified the DNS name for my VMware Identity Manager instance.
  2. The PayloadCertificateUUID should contain the UUID obtained from Terminal.app. In the Figure 4 example, not the location I've pasted the UUID.

<dict>
    <key>Name</key>
    <string>https://cas.vidmpreview.com/</string>
    <key>PayloadCertificateUUID</key>
    <string>9b5ee490-d68f-4983-b807-d7b866434be8</string>
    <key>PayloadUUID</key>
    <string>fd8a6b9e-0fed-406f-9571-8ec98722b711</string>
    <key>PayloadType</key>
    <string>com.apple.security.identitypreference</string>
    <key>PayloadDisplayName</key>
    <string>Identity Pref</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadIdentifier</key>
    <string>com.apple.security.identitypreference</string>
</dict>

Add Custom Settings XML Payload to Profile

Custom Settings Profile Payload
Figure 5 - Custom XML Profile Payload

With the PayloadCertificateUUID gathered and the Custom XML created, the next thing to do is to modify the existing Identity Preference profile. When the profile is edited, an admin must add the Custom Settings XML to the existing profile. To add the Custom XML, follow these steps:

  1. Within Workspace ONE UEM, click on Devices > Profiles & Resources > Profiles.
  2. Find the profile you created earlier and click it. Click Add Version.
  3. On the General tab, modify the assignment groups as necessary based on who needs this assignment.
  4. On the left side, scroll down to the Custom Settings payload and click Configure.
  5. Paste the XML dictionary generated in the previous step.  
  6. Click Save & Publish, then click Publish.
  7. Confirm the updated profile gets delivered to the device by checking the device details view in Workspace ONE UEM.

Configure Chrome Identity Preferences

Chrome Identity Preference Custom Settings XML
Figure 6 - Chrome Identity Preference Custom Settings XML

The Google Chrome identity preference setting is slightly easier to configure. Google Chrome relies on access to the Keychain in order to search the list of certificates and find a matching CN. As such, there is no need to include a Credentials payload with the Identity Preference, so long as the appropriate identity certificate has already been delivered to the user's keychain. To configure an Identity Preference (as shown in Figure 6) for Google Chrome on macOS:

  1. In the Workspace ONE UEM console, click Add > Profile > macOS > User Profile.
  2. Enter a Name for the profile (such as "Chrome Identity Preference") and choose an assignment group. 
  3. On the left side, scroll down to the Custom Settings payload and click Configure.
  4. Paste the XML dictionary (shown in Figure 6 and included below). Be sure to modify the needed items based on your location: URL for pattern matching, and the Issuing CA for the certificate to use for authentication.
  5. Click Save & Publish, then click Publish.
  6. Confirm the updated profile gets delivered to the device by checking the device details view in Workspace ONE UEM.

<dict>
<key>AutoSelectCertificateForUrls</key>
<array>
 <string>{"pattern":"https://cas.vidmpreview.com/","filter":{"ISSUER":{"CN":”<Your-ADCS-Issuing-CA>"}}}</string>
</array>
<key>PayloadEnabled</key>
<true/>
            <key>PayloadDisplayName</key>
            <string>Google Chrome Settings</string>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>com.google.Chrome.4F720473-6832-4CE0-A895-E9C3FC6F8CBD</string>
            <key>PayloadType</key>
            <string>com.google.Chrome</string>
            <key>PayloadUUID</key>
            <string>4F720473-6832-4CE0-A895-E9C3FC6F8CBD</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
</dict>

Note: Optionally, you could include the above Custom Settings XML as an additional payload to your profile including the Safari Identity Preferences.   

Additional Resources

Contributors

  
Adam Matthews is a Systems Engineer for End-User Computing at VMware who assisted in the creation and validation of this content.

February 05, 2019
Robert Terakedis
Read More from the Author

Senior Technical Marketing Manager, End User Computing, VMware.
Robert is currently in his fifth year at VMware where he’s a Senior Technical Marketing Manager for all things Apple and Workspace ONE. He has over 16 years experience in the IT Industry, with roles spanning Enterprise Mobility solutions, Microsoft technologies, storage and network infrastructure. He is based out of Atlanta, Georgia and contributes regularly to VMware’s TechZone and EUC Blog and the MacAdmins.

Comments

schwantje1@llnl.gov
This article is perfect timing as we are doing a PoC of Identity Manager using certificate based authentication for our Macs. While I was able to get Chrome working based on your instructions, I'm not having any luck with Safari. In our case, we're using SCEP with AirWatch as being the CA. Would this require that we do anything different in the custom XML? Thanks.
By schwantje1@llnl.gov
March 12, 2019
schwantje1@llnl.gov
I was able to get Safari working; I had to use the port number used by Identity Manager as part of the "Name" string. Is it possible to do the same thing with all of the Microsoft Office apps?
By schwantje1@llnl.gov
March 12, 2019