A Certificate Preference payload identifies a Certificate Preference item in the user's keychain that references a certificate payload included in the same profile. In simpler words, it allows you to automatically select the right certificate in the device user's keychain by preventing the device users from needing to navigate into their keychain and selecting the right certificate. You can add multiple Certificate Preference payloads as needed.

For Certificate-based authentication, you have to provide a certificate and optionally a preference to associate a certificate with a specified host. For example, if you want cert1 to authenticate access to https://www.corp.com, then you have to create a certificate preference with:

  • A SCEP payload
  • A Certificate preference payload to associate *.corp.com with the SCEP payload.

When the profile gets installed, the Certificate and the corresponding Certificate Preference get seated in the device keychain.

To create an identity preference profile:

  1. Navigate to Devices > Profiles & Resources > Profiles and select Add then Add Profile. Select Apple macOS, and then select User Profile, because this profile is only applicable to the enrollment user of the device.
  2. Configure the profile's General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  1. Select the Identity Preference payload.
  2. Enter the location (URL) or email address that requires certificate in the Location or Email Address text box.
  3. Select the preferred Payload Certificate for the specified location or address.
  4. Select Save & Publish when you are finished to push the profile to the devices.