The AirWatch Agent for iOS collects and delivers managed device information to the UEM console. Because this information may contain sensitive data, Workspace ONE UEM takes extensive measures to ensure that the information is encrypted and that it originates from a trusted source.

Workspace ONE UEM uses a unique certificate pair to sign and encrypt all communication between AirWatch Agent for iOS and the server. These certificates also allow the server to verify the identity and authenticity of each device enrolled in Workspace ONE UEM. This overview details the benefits and necessities of both security enhancements. iOS_AgentSecurity1

Understanding the Certificate Exchange

Before any data is transferred, the AirWatch Agent application and the server trade personalized certificates. This relationship is established when AirWatch Agent for iOS checks into the Workspace ONE UEM server for the first time during enrollment.


  1. AirWatch Agent for iOS communicates with the Workspace ONE UEM server to obtain the server’s certificate public key. Both AirWatch Agent for iOS and the Workspace ONE UEM server trust the public key of the Workspace ONE UEM Root certificate, which verifies the authenticity of all certificates involved in the enrollment exchange.
  2. AirWatch Agent for iOS validates the server’s certificate against the Workspace ONE UEM Root CA certificate.
  3. AirWatch Agent for iOS sends a unique certificate public key to the Workspace ONE UEM server.

  4. The Workspace ONE UEM server associates the AirWatch Agent’s certificate with that device in the database.

Securing the Data in Transit

After the initial exchange of certificates, all data sent to the UEM console is encrypted from that point forward. The following table shows the two certificates involved and their responsibility in the transaction.

  Agent Certificate Server Certificate
AirWatch Agent Sign the Data Encrypt the Data
Workspace ONE UEM Server Verify the Data Origin Decrypt the Data

APIs and Application Functionality

There are two categories of APIs that Workspace ONE UEM uses with iOS devices for management and tracking capabilities:

  • Over-the-Air (OTA) MDM APIs are activated through the enrollment process regardless if AirWatch Agent for iOS is used or not.
  • Native iOS SDK APIs are available to any third-party application, including AirWatch Agent applications and any other application using the Workspace ONE UEM Software Development Kit (SDK).

The AirWatch Agent for iOS acts as the broker application that integrates with the Native iOS SDK API layer of management. When using AirWatch Agent for iOS combined with the Workspace ONE UEM SDK for iOS, administrators can take advantage of more MDM features for applications, more so than what is offered in the Over-the-Air (OTA) MDM API layer.