AirWatch provisions the device with the parameters to generate the key pair and submit the CSR to the SCEP endpoint. The SCEP endpoint returns a signed certificate back to the mobile device. The device manages the certificate and its private key. The benefit to SCEP is that the private key never leaves the mobile device.

Certs_SCEP_01