A Credentials profile pushes certificates to devices for use in authentication. With Workspace ONE UEM, you can configure credentials for personal, intermediate, trusted root, trusted publisher, and trusted people certificate stores.

To configure a Credentials payload:

  1. Navigate to Devices > Profiles > List View > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.
  3. Select User Profile or Device Profile.
  4. Configure the profile General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  5. Select the Credentials payload and configure the following settings:

    Settings Descriptions
    Credential Source

    Select the credential source as either an Upload, a Defined Certificate Authority, or User Certificate

    The remaining payload options are source-dependent.

    • If you select Upload, you must upload a new certificate.
    • If you select Defined Certificate Authority, you must choose a predefined certificate authority and Template.
    • If you select User Certificate, you must select how the S/MIME certificate is used.
    Upload

    Select to navigate to the desired credential certificate file and upload it to the Workspace ONE UEM console.

    This setting displays when Upload is selected as the Credential Source.

    Certificate Authority

    Use the drop-down menu to select a predefined certificate authority.

    This setting displays when Defined Certificate Authority is selected as the Credential Source.

    Certificate Template

    Use the drop-down menu to select a predefined certificate template specific to the selected certificate authority.

    This setting displays when Defined Certificate Authority is selected as the Credential Source.

    Export Private Key

    Select Allow to let end users export certificates using Windows Certificate Manager.

    Select Don't Allow to prohibit end users from exporting certificates.

    Key Location

    Select the location for the certificate private key:

    • TPM If Present – Select to store the private key on a Trusted Platform Module if one is present on the device, otherwise store it in the OS.
    • TPM Required – Select to store the private key on a Trusted Platform Module. If a TPM is not present, the certificate does not install and an error displays on the device.
    • Software – Select to store the private key in the device OS.
    • Passport – Select to save the private key within the Microsoft Passport. This option requires the Azure AD integration.
    Certificate Store

    Select the appropriate certificate store for the credential to reside in on the device:

    • Personal – Select to store personal certificates. Personal certificates require the AirWatch Unified Agent on the device or using the SCEP payload.

    • Intermediate – Select to store certificates from Intermediate Certificate Authorities.
    • Trusted Root – Select to store certificates from Trusted Certificate Authorities and root certificates from your organization and Microsoft.
    • Trusted Publisher – Select to store certificates from Trusted Certificates Authorities trusted by software restriction policies.
    • Trusted People – Select to store certificates from trusted people or end entities that are explicitly trusted. Often these certificates are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook.
    Store Location Select User or Machine to define where the certificate is located.
    S/MIME Select whether the S/MIME certificate is for encryption or signing.
  1. Select Save & Publish to push the profile to devices.