Even if you protect your corporate email, Wi-Fi and VPN with strong passcodes and other restrictions, your infrastructure may remain vulnerable to brute force and dictionary attacks, in addition to employee error. For greater security, you can implement digital certificates to protect corporate assets.

To assign certificates, you must first define a certificate authority. Then, configure a Credentials payload alongside your Exchange ActiveSync (EAS), Wi-Fi, or VPN payload. Each of these payloads has settings for associating the certificate authority defined in the Credentials payload.

To push down certificates to devices, you must configure a Credentials or SCEP payload as part of the profiles you created for EAS, Wi-Fi, and VPN settings. Use the following instructions to create a certificate-enabled profile:


  1. Navigate toResources > Profiles & Baselines > Profiles > Add and select iOS from the platform list.
  2. Configure the profile's General settings.
  3. Select either the EAS, Wi-Fi, or VPN payload to configure. Fill out the necessary information, depending on the payload you selected.
  4. Select the Credentials (or SCEP) payload.
  5. Choose one option from the Credentials Source menu:
    1. Choose to Upload a certificate and enter the Certificate Name.
    2. Choose Defined Certificate Authority and select the appropriate Certificate Authority and Certificate Template.
    3. Choose User Certificate and the use for the S/MIME certificate.
    4. Choose Derived Credentials and select the appropriate Key Usage based on how the certificate is used. Key Usage options are Authentication, Signing, and Encryption.
  6. Navigate back to the previous payload for EAS, Wi-Fi, or VPN.
  7. Specify the Identity Certificate in the payload:
    1. EAS – Select the Payload Certificate under Login Information.
    2. Wi-Fi – Select a compatible Security Type (WEP Enterprise, WPA/WPA2 Enterprise or Any (Enterprise)) and select the Identity Certificate under Authentication.
    3. VPN – Select a compatible Connection Type (for example, CISCO AnyConnect, F5 SSL) and select Certificate from the User Authentication drop-down. Select the Identity Certificate.
  8. Navigate back to Credentials (or SCEP) payload.
  9. Select Save & Publish after configuring any remaining settings.