In order for Workspace ONE UEM to use a certificate in a profile, which is used to authenticate a user, an enterprise certificate authority does not need to be set up in the same domain as the Workspace ONE UEM server.

There are several methods for Workspace ONE UEM to retrieve a certificate from the certificate authority. Each method requires the basic installation and configuration described in this documentation. Sample CA Configurations are shown below in the Workspace ONE UEM SaaS environment. Configurations will differ in on-premises environments.

Scenario #1: Workspace ONE UEM to NDES/SCEP/MSCEP and then to Certificate Authority

Certs_Microsoft_NDES_Diagram_SaaS_SCEP_to_CA

Scenario #2: Workspace ONE UEM to VMware Enterprise Systems Connector, then to NDES/SCEP/MSCEP, and then to Certificate Authority

Certs_Microsoft_NDES_Diagram_SaaS_ACC_to_SCEP_to_CA

Scenario #3: On-Premises DS and NDES in the DMZ with Internal AW Console and CA

Certs_Microsoft_NDES_Diagram_OnPrem_without_ACC

Scenario #4: On-Premises with All Servers Internal and SCEP Proxy

Certs_Microsoft_NDES_Diagram_OnPrem_with_ACC