A Credentials profile pushes certificates to devices for use in authentication. AirWatch supports configuring credentials for personal, intermediate, trusted root, trusted publisher, and trusted people certificate stores.

To push certificates onto the devices, you need to configure a Credentials payload as part of the profiles that you create for EAS, Wi-Fi, and VPN settings.

To configure a Credentials payload:

  1. Navigate to Devices > Profiles > List View > Add and select Add Profile.

  2. Select Windows and then select Windows Phone.
  3. Configure the profile's General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  4. Select the Credentials payload and configure the following settings:

    Settings Descriptions
    Credential Source

    Select the credential source as either an Upload or a Defined Certificate Authority, or User Certificate

    The remaining payload options are source-dependent.

    • If you select Upload, you must upload a new certificate.

      If you select Defined Certificate Authority, you must choose a predefined certificate authority and Template.
    • If you select User Certificate, you must select how the S/MIME certificate is used.
    Upload

    Select to navigate to the desired credential certificate file and upload it to the AirWatch Console.

    This setting displays when Upload is selected as the Credential Source.

    Certificate Authority

    Use the drop-down menu to select a predefined certificate authority.

    This setting displays when Defined Certificate Authority is selected as the Credential Source.

    Certificate Template

    Use the drop-down menu to select a predefined certificate template specific to the selected certificate authority.

    Displays when Defined Certificate Authority is selected as the Credential Source.

    Export Private Key

    Select Allow to let end users export certificates using Windows Certificate Manager or select Don't Allow to prohibit end users from exporting certificates.

    Key Location

    Select the location for the certificate private key:

    • TPM If Present – Select to store the private key on a Trusted Platform Module if one is present on the device, otherwise store it in the software.
    • TPM Required – Select to store the private key on a Trusted Platform Module. If a TPM is not present, the certificate does not install and an error displays on the device.
    • Software – Select to store the private key in the device software.
    • Passport – Select to save the private key within Microsoft Passport. This requires the AirWatch Protection Agent to be installed on the device.
    Certificate Store

    Select from the drop-down menu the appropriate certificate store for the credential to reside in on the device:

    • Personal – Select to store personal certificates.

    • Intermediate – Select to store certificates from Intermediate Certificate Authorities.
    • Trusted Root – Select to store certificates from Trusted Certificate Authorities as well as root certificates from your organization and Microsoft.
    • Trusted Publisher – Select to store certificates from Trusted Certificates Authorities that are trusted by software restriction policies.
    • Trusted People – Select to store certificates from trusted people or end entities that are explicitly trusted. Often these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook.
    Store Location Use the drop-down menu to select User or Machine to define where the certificate is located.
    S/MIME Select whether the S/MIME certificate is for encryption or signing.
  5. Select Save & Publish to push the profile to devices.
Note:

For Windows 8.0 and 8.1, the Root and Intermediate certificates silently install to the device without interaction from the end user. The Personal Certificates cannot be installed silently with the Credentials payload and require end-user interaction. Please see Installing a Certificate on Windows Phone 8 Devices section for more information. To silently install Personal Certificates without end-user involvement, see the SCEP Profile.