Smallstep can integrate with Omnissa Workspace ONE UEM to keep your device inventory in sync and to exchange SCEP tokens. A SCEP token is a single-use password that's used by devices to get a certificate from Smallstep.

To configure the connection, let’s first set up an Application in Entra ID. Then, we’ll add the client credentials to Smallstep.

You will need:

• A Smallstep team
• A Workspace ONE UEM tenant
• A test device to enroll for management
  • This can be a Windows VM, but you may need a physical device or additional Wi-Fi adapter for testing an Enterprise Wi-Fi connection. Windows Home edition is not supported.

First, we’ll create a scoped API role for Smallstep:

1. In Workspace ONE UEM, navigate to Accounts → Admin Roles and choose + Add Role

2. Create a role named “Smallstep” with a description of “Smallstep Integration”

3. Smallstep needs Read access to Devices, using the REST API. Choose API → REST on the left, and choose ✅ Read for the row “Devices”

   

4. Choose Save

Next, we’ll create an OAuth client for Smallstep:

1. In Workspace ONE UEM, navigate to Groups & Settings → Configurations and find OAuth Client Management in the list
2. Choose Add and add a new client with a name of “Smallstep” and description of “Smallstep MDM Integration for Device Sync”
3. For Organization Group, select the group most appropriate for managing your desired device inventory
4. For Role, choose Smallstep
5. Choose Save
6. Copy the resulting client ID and secret value

In Smallstep, navigate to Settings → Device Management.

Configure a new Omnissa Workspace ONE Integration with the values you gathered above:

• The Workspace ONE UEM REST API URL for your tenant.
  • This URL is shown in UEM’s settings. Navigate to
    Groups and Settings → All Settings → System → Advanced → API → Rest API
  • Copy the REST API URL from that page
• The Workspace ONE UEM OAuth 2.0 Token URL for your region
• The OAuth client ID and secret you saved in Step 1

After saving the Workspace ONE connection, you will see settings for your integration. Copy the following details for later:

• SCEP URL
• SCEP Challenge URL
• Challenge Basic Authentication Username
• Challenge Basic Authentication Password

Within a few minutes after adding the connection, you should see all of your Workspace ONE devices in the Devices tab. Device inventory is synced approximately every four hours.

1. In Workspace One UEM, visit Resources → Scripts
2. Choose Add and then Windows

   1. In the General tab, provide a name for the script, such as “Smallstep Agent Enrollment”

   2. On the Details tab, ensure the Language is “Poweshell” and the Execution Context & Privileges is “System Context”

   3. Use the following snippet as the Code, making sure to replace <team-id> with the Team ID value you copied from the Smallstep UI earlier.

      New-Item -Path "HKLM:\Software\Policies\Smallstep"
      Set-ItemProperty -Path "HKLM:\Software\Policies\Smallstep" -Name "TeamSlug" -Value "<team-id>"
      Set-ItemProperty -Path "HKLM:\Software\Policies\Smallstep" -Name "Certificate" -Value "capi:store-location=machine;store=My;issuer=Smallstep (<team-id>) Agents Intermediate CA;cn=$env:DEVICE_ID"
      

   4. In the Variables tab, click Add. Set the variable Key to DEVICE_ID and the variable Value to {DeviceUuId}

In this step, we’ll add the Smallstep Agent to Workspace One UEM for distribution to devices.

1. In Workspace One UEM,
   • Go to Resources → Native Apps.
   • Choose Add → Application File.
   • Download the latest version of step-agent-plugin_amd64_<version>.msi and select it for upload to UEM. Note the version number you downloaded—you’ll need it later.
   • Choose Continue
2. In the Add Application panel’s Details tab,
   • Set Supported Processor Architecture to 64-bit (or ARM64 if used)
   • For Minimum OS, select Windows 10 (10.0.15063)
3. In the Add Application panel’s Deployment Options tab,
   • Set Install Context to Device
4. FInally, choose Save & Assign

Got ARM64 devices?
If you also are deploying to ARM-based devices, add another Native App for the arm64 version of our MSI installer. Workspace ONE will try to distribute both installers to both arm64 and amd64 devices. To avoid this, segregate your devices by OS and CPU Architecture. To do this, create two new Smart Groups in Groups & Settings → Assignment Groups—one for arm64 devices, and one for amd64 devices. Assign each application to the appropriate Smart Group.

After saving the Native App, you'll see the Application Assignment panel.

1. Give the Assignment a name
2. Choose the groups you’d like to assign the application to. Assign the app to a single devices or a small group of test devices for a staged rollout.
3. Select App Delivery Method: Auto
4. Create the Assignment.
5. Choose Save
6. Choose Publish to begin distributing the app.

In this step, we’ll tie everything together by creating Windows policy to enroll devices using the Smallstep Agent.

1. You’ll need the following values from when your configuration your Workspace ONE connection:
   • SCEP URL
   • SCEP Challenge URL
   • Challenge Basic Authentication Username
   • Challenge Basic Authentication Password
   If you need to retrieve these again, you can always visit: **Settings → Device Management → Omnissa Workspace ONE**

For compatibility with Workspace ONE, Smallstep emulates the Microsoft ADCS’s Dynamic SCEP and NDES enrollment protocols.

1. In Workspace One UEM, visit Resources → Certificate Authorities
2. Choose + Add
   1. Provide a name for the CA connection, e.g. Smallstep Agents CA
   2. For Authority Type, choose Microsoft ADCS
   3. For Protocol, choose SCEP
   4. For Version, choose NDES 2008/2012 (NDES for SCEP)
   5. Provide the SCEP URL from Step 1
   6. For Challenge Type, choose Dynamic
   7. Provide the Challenge Username and Password from Step 1
   8. No client certificate is needed
   9. Provide the SCEP Challenge URL from Step 1
   10. Choose Show Advanced Options
       • For SCEP Challenge Length, choose 32
   11. Choose Test Connection and wait for a ✅ success modal
3. Choose Save and Add Template

A new modal screen will be presented with the empty Request Template configuration

1. Provide a name for the Template, e.g. Smallstep Agents
2. For Certificate Authority, choose the Smallstep CA you just connected
3. For the subject name, use a value of CN={DeviceUuid}
4. For Private Key Length, use 2048
5. For Private Key Type, choose both Signing and Encryption
6. Add a new SAN Type of type URL, and set the value to deviceid://{DeviceUuid}
7. For Automatic Certificate Renewal, choose Enabled
   • Pick an appropriate Auto Renewal Period (5 days is common)
8. Ensure Publish Private Key is Disabled
9. Choose Save

1. In Workspace One UEM,
   1. Go to Resources → Profiles.
   2. Click Add, and pick Add Profile from the drop-down
   3. Click Windows, and then select Windows again
   4. Click Device Profile
   5. Under General, Provide a name (e.g. “Smallstep Device Enrollment”)
      1. Select the All Devices group in the Smart Groups dropdown
      2. Other options can be left as-is
      3. Optionally, click the View Device Assignment button to see the devices to which the profile will be distributed
   6. Add a Credential by clicking the Configure button , and set the following settings:
      1. Credential Store: Defined Certificate Authority
      2. Certificate Authority: Choose the CA connection you created earlier
      3. The certificate template should be selected automatically. If not, select an appropriate one.
      4. Key Location: TPM Required
      5. Certificate Store: Personal
   7. Click Save and Publish to finalize the configuration of the profile.
   8. A modal screen will be shown with the devices to which the profile will be distributed. Click Publish if the assignment looks OK.

There's two ways to confirm installation on an endpoint:

• In the Smallstep UI, go to the device's profile page. In the Device Registration section, you'll see an Enrolled At timestamp.