AirWatch will provision the device with the parameters it needs to generate the keypair and submit the CSR to the SCEP endpoint. The SCEP endpoint will return a signed certificate back to the mobile device. The device will manage the certificate and its private key. The benefit to SCEP is that the private key never leaves the mobile device.

Certs_SCEP_01