Even if you protect your corporate email with Wi-Fi and VPN with strong passcodes and other restrictions, your infrastructure still remains vulnerable to brute force and dictionary attacks or employee error. For greater security, you can implement digital certificates to protect corporate assets.

To do this, you must first define a certificate authority. Then configure a Credentials payload alongside your Exchange Web Service, Wi-Fi or VPN payload. Each of these payloads has settings for associating the certificate authority defined in the Credentials payload.

To push certificates down to devices, you need to configure a Credentials or SCEP payload as part of the profiles you created for EAS, Wi-Fi and VPN settings. Use the following instructions to create a credentials payload:

  1. Navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device ( User Profile), or the entire device ( Device Profile).
  2. Configure the profile's General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  3. Select either the Exchange Web Services, Wi-Fi or VPN payload to configure. Configure the payload you selected.
  4. Select the Credentials (or SCEP) payload and Upload a certificate or select Defined Certificate Authority from the Credential Source drop-down and select the Certificate Authority and Certificate Template from their respective drop-downs.
  5. Navigate back to the previous payload for Exchange Web Services, Wi-Fi or VPN. Specify the Identity Certificate in the payload:
    • Exchange Web Service – Select the Payload Certificate under Login Information.

    • Wi-Fi– Select a compatible Security Type (WEP Enterprise, WPA/WPA2 Enterprise or Any (Enterprise)) and select the Identity Certificate under Authentication.
    • VPN – Select a compatible Connection Type (for example, CISCO AnyConnect, F5 SSL) and select Certificate from the Machine/User Authentication drop-down. Select the Identity Certificate.
  6. Return to the Credentials payload and choose the following allowances:
    • Allow access to all applications – Select whether to allow or prevent applications to access the certificate in the Keychain.

    • Allow export from the Keychain – Select whether to allow or prevent users from exporting the private key from the installed certificate.
  7. Select Save and Publish.