Smallstep can integrate with Omnissa Workspace ONE UEM to keep your device inventory in sync and to exchange SCEP tokens. A SCEP token is a single-use password that's used by devices to get a certificate from Smallstep.

<aside> 👉

In this tutorial, we create a configuration that enrolls endpoints using the Smallstep Devices CA, and it adds the Devices CA to each endpoint’s CA trust store. Your use case may vary. You may need endpoints to enroll with or trust a different CA at Smallstep.

</aside>

To configure the connection, let’s first set up an API role and credentials Workspace ONE. Then, we’ll add the client credentials to Smallstep.

Prerequisites

You will need:

• A Smallstep team
• A Workspace ONE UEM tenant
• A test device to enroll for management
  • For some use cases, an iOS simulator can work as a test device. If you’re testing an Enterprise Wi-Fi connection or an ACMECertificate payload, you will need a physical test device.

Step-by-step instructions

1. Connect Smallstep to Workspace ONE via OAuth

This section can be skipped if you already connected Smallstep and Workspace ONE for device sync.

First, we’ll create a scoped API Role for Smallstep:

1. In Workspace ONE UEM, navigate to Accounts → Admin Roles and choose + Add Role

2. Create a role named Smallstep

3. Smallstep needs Read access to Devices, using the REST API. Choose API → REST on the left, and choose ✅ Read for the row Devices :

   

4. Choose Save

Next, we’ll create an OAuth Client for Smallstep:

1. In Workspace ONE UEM, navigate to Groups & Settings → Configurations and find OAuth Client Management in the list