Certificates are used to authenticate communication between the Workspace ONE UEM console and VMware AirWatch Cloud Connector. In on-premises deployments, data and traffic between AWCM and VMware AirWatch Cloud Connector is encrypted and signed.

How Certificates are Generated

  1. You enable the VMware AirWatch Cloud Connector and then generate certificates for Workspace ONE UEM and VMware AirWatch Cloud Connector.
    • Both certificates are unique to the group selected in the Workspace ONE UEM console and reside on the Workspace ONE UEM server.
    • Both certificates are generated from a trusted Workspace ONE UEM root.
  2. You install VMware AirWatch Cloud Connector. The VMware AirWatch Cloud Connector certificate that Workspace ONE UEM generates is automatically bundled and installed with VMware AirWatch Cloud Connector.

How Data is Routed (On-Premises only)

  1. Workspace ONE UEM sends requests to AWCM. Requests are SSL encrypted using HTTPS.
  2. The VMware AirWatch Cloud Connector queries AWCM for Workspace ONE UEM requests. Requests are SSL encrypted using HTTPS.
  3. All data is sent through AWCM.

The VMware AirWatch Cloud Connector configuration trusts only messages signed from the Workspace ONE UEM environment. This trust is unique per group.

Any additional VMware AirWatch Cloud Connector servers set up in the same Workspace ONE UEM group as part of a highly available (HA) configuration are issued the same unique VMware AirWatch Cloud Connector certificate. For more information about high availability, please refer to the VMware Recommended Architecture Guide, available on docs.vmware.com.

How Data is Secured (On-Premises only)

The Workspace ONE UEM server sends each request as an encrypted and signed message to the AWCM.

  • Requests are encrypted using the unique public key of the VMware AirWatch Cloud Connector instance. Only VMware AirWatch Cloud Connector can decrypt the requests.
  • Requests are signed using the private key of the Workspace ONE UEM server instance that is unique for each group. Therefore, VMware AirWatch Cloud Connector trusts the requests only from the configured Workspace ONE UEM server.
  • Responses from VMware AirWatch Cloud Connector to the Workspace ONE UEM server are encrypted with the same key as the request and signed with the VMware AirWatch Cloud Connector private key.