The AirWatch Agent for iOS collects and delivers managed device information to the AirWatch Console. Because this information may contain sensitive data, AirWatch takes extensive measures to ensure that the information is encrypted and that it originates from a trusted source.

AirWatch uses a unique certificate pair to sign and encrypt all communication between AirWatch Agent for iOS and the server. These certificates also allow the server to verify the identity and authenticity of each device enrolled in AirWatch. This overview details the benefits and necessities of both security enhancements. iOS_AgentSecurity1

Understanding the Certificate Exchange

Before any data is transferred, the AirWatch Agent application and the server trade personalized certificates. This relationship is established when AirWatch Agent for iOS checks into the AirWatch server for the first time during enrollment.


  1. AirWatch Agent for iOS communicates with the AirWatch server to obtain the server’s certificate public key. Both AirWatch Agent for iOS and the AirWatch server trust the public key of the AirWatch Root certificate, which verifies the authenticity of all certificates involved in the enrollment exchange.
  2. AirWatch Agent for iOS validates the server’s certificate against the AirWatch Root CA certificate.
  3. AirWatch Agent for iOS sends a unique certificate public key to the AirWatch server.

  4. The AirWatch server associates the AirWatch Agent’s certificate with that device in the database.

Securing the Data in Transit

After the initial exchange of certificates, all data sent to the AirWatch Console is encrypted from that point forward. The following table shows the two certificates involved and their responsibility in the transaction.

  Agent Certificate Server Certificate
AirWatch Agent Sign the Data Encrypt the Data
AirWatch Server Verify the Data Origin Decrypt the Data

APIs and Application Functionality

There are two categories of APIs that AirWatch uses with iOS devices for management and tracking capabilities:

  • Over-the-Air (OTA) MDM APIs are activated through the enrollment process regardless if AirWatch Agent for iOS is used or not.
  • Native iOS SDK APIs are available to any third-party application, including AirWatch Agent applications and any other application using the AirWatch Software Development Kit (SDK).

The AirWatch Agent for iOS acts as the broker application that integrates with the Native iOS SDK API layer of management. When using AirWatch Agent for iOS combined with the AirWatch SDK for iOS, administrators can take advantage of more MDM features for applications, more so than what is offered in the Over-the-Air (OTA) MDM API layer.