Conductor NHI - Omnissa Workspace ONE integration

This guide explains how to configure Omnissa Workspace ONE UEM (formerly VMware Workspace ONE UEM / AirWatch) so that managed devices automatically enroll for digital certificates issued by Axiad Conductor. Axiad Conductor exposes a certificate management interface called Mobile Guard, which Workspace ONE connects to using its built-in OpenTrust CMS Mobile certificate authority type.

A note on naming. VMware acquired AirWatch in 2014 and later rebranded the product to Workspace ONE UEM; the platform is now part of Omnissa. Depending on your tenant version, you may still see references to AirWatch, VMware, or AWMDM. These all refer to the same product. Inside Workspace ONE, the Axiad Mobile Guard interface is selected using the authority type OpenTrust CMS Mobile.

How the integration works

Once configured, the flow is as follows:

1. Workspace ONE UEM pushes a device profile containing a certificate credential to an enrolled device.

2. To fulfill that credential, Workspace ONE submits an enrollment request to the Axiad Mobile Guard endpoint.

3. Mobile Guard relays the request to the Axiad Conductor PKI, which issues the certificate.

4. The certificate is returned through Workspace ONE and installed on the device.

5. If you later enable it, Workspace ONE can also request revocation of a certificate (for example, when a device is unenrolled or wiped).

[topology-diagram]
Workspace ONE UEM (SaaS) connects directly over HTTPS to the Axiad Conductor NHI connector, which relays enrollment and revocation requests to Axiad Machine-PKIaaS.

What Axiad provides to you

Before you begin, your Axiad Customer Success team will provide the following. Have these on hand:

Prerequisites on your side

• Workspace ONE UEM deployment. Both SaaS and on-premises deployments are supported.

• Outbound HTTPS connectivity. Workspace ONE UEM connects directly over HTTPS (port 443) to the Axiad Conductor NHI endpoint. Ensure your tenant can reach the Mobile Guard server URL provided by Axiad, and allow this outbound traffic through any egress controls.

• Administrative access to the Workspace ONE UEM console with rights to manage Certificate Authorities, Request Templates, and Profiles.

Tip. Confirm that your Workspace ONE tenant can reach the Axiad Conductor NHI endpoint over HTTPS before you start. If the endpoint is not reachable, the connection test in Step 1 will fail.

Step 1 — Add the Certificate Authority

In the Workspace ONE UEM console, go to Groups & Settings → All Settings → System → Enterprise Integration → Certificate Authorities, then click Add.

Configure the following fields:

• Name — any descriptive name of your choosing (for example, Axiad Conductor).

• Authority Type — select OpenTrust CMS Mobile.

• Server URL — the Mobile Guard endpoint provided by Axiad, in the form https://mobile-<TENANT>.axiadids.net/connector/mdm.cgi.

• Certificate — upload the service account .p12 file provided by Axiad. The file must contain the private key, and you will be prompted for the bundle password.

[screenshot1]
Groups & Settings → All Settings → System → Enterprise Integration → Certificate Authorities → Add.

[screenshot2]
Configure Name, Authority Type (OpenTrust CMS Mobile), and the Server URL provided by Axiad.

[screenshot3]
Upload the service account .p12 bundle (must contain the private key) and enter the bundle password.

Click Save, then use the Test Connection button. The result appears near the top of the page. A successful test confirms Workspace ONE can reach and authenticate to Mobile Guard.

[screenshot4]
A successful connection test confirms Workspace ONE can reach the Axiad Conductor NHI endpoint.

If the test fails, see Troubleshooting below.

Step 2 — Add a Request Template

The request template maps the certificate profile available in Axiad Mobile Guard to one Workspace ONE can use, and lets you insert Workspace ONE UEM lookup values (for example, the device serial number) into the enrollment request.

[screenshot5]
Open the Request Templates tab and add a new template.

Go to Groups & Settings → All Settings → System → Enterprise Integration → Certificate Authorities → Request Templates and click Add. Configure:

• Name — any descriptive name.

• Certificate Authority — select the CA you created in Step 1.

• Profile Name — this list is populated dynamically by querying Mobile Guard. If the Step 1 connection test succeeded and Axiad has configured your profile, the available certificate profile(s) (for example, VMWare UEM) appear in the dropdown. Select the profile Axiad has indicated.

• Mandatory fields — map the required subject fields to Workspace ONE UEM lookup values appropriate for your environment. Typical mappings are:

  • CN (Common Name) — e.g. the enrollment user or device identifier

  • mobileserial — the device serial number lookup value

  • msUPN — the user's Microsoft User Principal Name

Click Save.

[screenshot6]
The Profile Name dropdown is populated from Mobile Guard; map mandatory fields (e.g. CN, mobileserial, msUPN) to Workspace ONE UEM lookup values.

Note. The exact mandatory fields are determined by the certificate profile Axiad configured for you. Use the field names shown in the dropdown and confirm the intended mappings with your Axiad Customer Success team if you are unsure.

Step 3 — Create and deploy a device profile

Next, attach the request template to a device profile and deploy it to your devices. The detailed steps below use iOS as the example; the same pattern applies to other platforms (see Other platforms).

iOS (example)

1. Go to Resources → Profiles & Baselines → Profiles and click Add → Add Profile.

2. Select Apple iOS, then Device.

3. Give the profile a name in the General payload.

4. Select the Credentials payload and click Configure / Add.

5. Set Credential Source to Defined Certificate Authority, then select the Certificate Authority and Certificate Template (request template) you created in Steps 1 and 2.

6. Add the CA trust chain so devices trust the Axiad-issued certificates. Add an additional Credentials payload with Credential Source set to Upload, and upload each certificate in the chain (root, issuing, etc.). Repeat for every certificate in the chain.

7. Click Next, then assign and Save & Publish the profile to your target devices following your normal deployment process.

[screenshot7]
Add a new profile and select Apple iOS, then Device.

[screenshot8]
In the Credentials payload, set Credential Source to Defined Certificate Authority and select the CA and request template from Steps 1 and 2.

[screenshot9]
Add additional Credentials payloads with Credential Source = Upload for each certificate in the CA trust chain.

[screenshot10]
Assign and publish the profile to your target devices.

Other platforms (Android and beyond)

Certificate enrollment through the OpenTrust CMS Mobile authority follows the same pattern on other Workspace ONE UEM platforms. For Android (and other supported OSes):

1. Create a new profile for the target platform under Resources → Profiles & Baselines → Profiles.

2. Add a Credentials payload with Credential Source = Defined Certificate Authority, and select the same Axiad Certificate Authority and request template.

3. Add the CA trust chain via additional uploaded Credentials payloads as needed.

4. Where a downstream payload (such as Wi-Fi, VPN, or EAP) consumes the certificate, reference this Credentials payload.

5. Assign and publish to your target devices.

Note. Field availability, payload names, and on-device verification steps vary by platform and by Workspace ONE UEM version. The CA and request template you created in Steps 1 and 2 are shared across all platforms — you do not need to recreate them per platform.

Step 4 — Verify enrollment

From the Workspace ONE UEM console

Open the profile you created and click View Devices / Installed Status. Hover over the status to drill down to individual devices. A status of Installed indicates a successful certificate enrollment.

[screenshot11]
Under the profile, open Installed Status to see deployment results.

[screenshot12]
An Installed status indicates a successful enrollment.

On an iOS device

Go to Settings → General → VPN & Device Management → Device Manager → More Details. You should see a certificate issued by your Axiad CA, with the subject fields matching what you configured in the request template.

[screenshot13]
On the device, the installed certificate shows the subject fields configured in the request template.

Optional — Configure automatic certificate revocation

Workspace ONE UEM can automatically request that a certificate be revoked under conditions you define (for example, when a device is unenrolled, deleted, or wiped).

To enable this, locate the revocation settings for the certificate credential / CA integration in Workspace ONE and select the conditions under which a revocation should be requested.

Prerequisite. Automatic revocation only works if the Axiad side is configured to allow it — specifically, the Mobile Guard management profile must permit revocation by an administrator, and the service account must hold revoke rights on the certificate profile in use. Your Axiad Customer Success team configures this; confirm it is in place before relying on automatic revocation.

(No screenshot available for this optional step in the source material. Add one here if desired — e.g. screenshot14.png.)

Troubleshooting

If the connection test in Step 1 fails, or certificates do not install, review the logs below.

Workspace ONE UEM console

Go to Monitor → Reports & Analytics → Events → Console Events. Click into an event for more verbose detail. Errors raised when adding the CA or publishing the profile appear here.

Quick checklist

• Is the Mobile Guard Server URL correct and reachable from the Workspace ONE tenant over HTTPS (port 443)?

• Was the .p12 uploaded correctly in the CA configuration, and was the correct bundle password entered?

• Did the Test Connection succeed before you tried to add the request template? (The profile dropdown only populates after a successful connection.)

• Do any egress firewall or proxy rules allow the outbound HTTPS connection to the Axiad Conductor NHI endpoint?

Need help?

If you do not see your certificate profile in the request template dropdown, the connection test continues to fail after checking the items above, or you need the service account certificate, Mobile Guard URL, or CA trust chain, contact your Axiad Customer Success team.