This document explains the installation and setup of the Enrollment Agent Signing Certificate for direct integration with AirWatch using ADCS over the DCOM protocol.
This setup allows AirWatch to take advantage of Microsoft’s Certificate Enroll On Behalf Of Others function. By default, only domain administrators are granted permission to request a certificate on behalf of another user. However, a user or computer account other than a domain administrator can be granted permission to become an enrollment agent. A user becomes an enrollment agent by enrolling for an Enrollment Agent certificate. For integration with AirWatch, a computer account will be used.
Once someone has an Enrollment Agent certificate, that person can enroll for a certificate and generate a smart card on behalf of anyone in the organization. The resulting smart card could then be used to log on to the network and impersonate the real user. Because of the powerful capability of the Enrollment Agent certificate, AirWatch strongly recommends that your organization maintain very strong security policies for these certificates.