Certificates are used to authenticate the communication between the AirWatch Console and AirWatch Cloud Connector (ACC).

How Certificates are Generated

  • You enable the ACC and then generate certificates for AirWatch and ACC.

    • Both certificates are unique to the group selected in the AirWatch Console and reside on the AirWatch server.

    • Both certificates are generated from a trusted AirWatch root.

  • You install ACC. The ACC certificate that AirWatch generates is automatically bundled and installed with ACC.

How Data is Routed in On-Premises Environments

  • AirWatch sends requests to AWCM. Requests are SSL encrypted using HTTPS.

  • ACC queries AWCM for AirWatch requests. Requests are SSL encrypted using HTTPS.

  • All data is sent through AWCM.

The ACC configuration trusts only messages signed from the AirWatch environment. This trust is unique per group.

Any additional ACC servers set up in the same AirWatch group as part of a highly available (HA) configuration are issued the same unique ACC certificate. For more information about high availability, refer to the VMware AirWatch Recommended Architecture Guide, available on AirWatch Resources.

How Data is Secured in On-Premises Environments

The AirWatch server sends each request as an encrypted and signed message to the AWCM.

  • Requests are encrypted using the unique public key of the ACC instance. Only ACC can decrypt the requests.

  • Requests are signed using the private key of the AirWatch server instance that is unique for each group. Therefore, ACC trusts the requests only from the configured AirWatch server.

  • Responses from ACC to the AirWatch server are encrypted with the same key as the request and signed with the ACC private key