S/MIME certificates are used primarily to encrypt/decrypt and sign emails, and unlike client authentication certificates, the same S/MIME certificate needs to be installed on all devices associated with a specific user.

To achieve this OpenTrust separates a user’s devices into primary and secondary devices. Each user can have only one primary device and multiple secondary devices. New S/MIME certificates can only be requested by the primary device and then installed on secondary devices. Primary and secondary devices will therefore need separate OpenTrust Profiles and corresponding AirWatch Templates, profiles, and assignment groups.


  1. Separate primary and secondary devices by assignment group.

    • Different assignment groups will need to be created for primary and secondary devices respectively. These can be Smart Groups, Organization Groups, or User Groups.
    • For example, create a smart group “Primary S/MIME” and populate it with one primary device per user. Create another smart group “Secondary S/MIME” which will contain all other devices.
  2. Add templates for primary and secondary devices.

    1. Create individual Certificate Authority Templates for primary and secondary devices. Navigate to Devices > Certificates > Certificate Authorities > Request Templates and select Add.
    2. Select OpenTrust CA as the Certificate Authority and under Profile Name choose the corresponding OpenTrust profile for primary devices.
    3. Configure any other settings required and select Save.
    4. Similarly, add another template where the Profile Name chosen is for secondary devices.
  3. Add device profiles.

    1. Create device profiles for primary devices, by platform, including Email and Credentials payloads.
    2. In the Credentials payload, select Defined Certificate Authority and choose the template defined for primary devices.
    3. Save and publish.
    4. Once confirmed, repeat for secondary devices.