Find out what Microsoft certificate authority (CA) models Workspace ONE UEM supports. View a high-level comparison of each CA type and consider which configuration might work best for your deployment.

Available Microsoft Certificate Authority Models

Workspace ONE UEM offers several deployment options for Microsoft certificate authorities.

  • Workspace ONE UEM to the CA- This model uses the DCOM protocol. Workspace ONE UEM communicates directly with the Microsoft CA or through the AirWatch Cloud Connector to the CA.

  • Mobile Devices to the CA - This model uses the NDES (a Microsoft proprietary version of SCEP) or SCEP protocol. Workspace ONE UEM only delegates certificate transactions between the device and the Microsoft CA.

  • Workspace ONE UEM SCEP Proxy - This model uses the NDES or SCEP protocol. Workspace ONE UEM is the proxy that sends certificate transactions between the device and the CA endpoint. The NDES/SCEP endpoint is not exposed to the Internet.

Comparison Matrix by Protocol

Considerations

DCOM Protocol: Workspace ONE UEM to CA

NDES/SCEP Protocol: Workspace ONE UEM as Delegate

NDES/SCEP Protocol: Workspace ONE UEM SCEP Proxy

Key Benefit

You can automate the certificate lifecycle management (certificate revocation and renewal).

Each device generates and has its own key pair.

The NDES/SCEP endpoint is not exposed to the Internet.

Devices Supported

  • Android

  • iOS

  • Windows 10

  • macOS

  • Android

  • iOS

  • Windows 10

  • macOS

  • Android

  • iOS

  • Windows 10

  • macOS

Architecture

Workspace ONE UEM servers must have DCOM access to the CA.

NDES/SCEP server must be externally available to the Internet.

Workspace ONE UEM must be able to reach the NDES/SCEP server.

Key Pair Generation

CA server handles the key pair generation.

Device handles the key pair generation.

Device handles the key pair generation.

Ports

DCOM Port 135: Microsoft DCOM Service Control Manager

DCOM Ports 1025–5000: Default ports for DCOM processes but you can configure the port range to any non-standard ports.

HTTP/HTTPS 443 or 80

HTTP/HTTPS 443 or 80

Certificate Template

Supports multiple templates.

For example, a single CA supports Wi-Fi, VPN, and email certificates.

Single template per instance.

For example, Wi-Fi, VPN, and email certificates require three separate templates.

Single template per instance.

For example, Wi-Fi, VPN, and email certificates require three separate templates.

Certificate Renewal

Automatic renewal available.

SCEP - Requires manual renewal by profile repush.

NDES - Automatic renewal available.

SCEP - Requires manual renewal by profile repush.

NDES - Automatic renewal available.

Certificate Revocation

Supported

Not supported

Not supported

Workspace ONE UEM Directly to CA

Direct CA integration with Workspace ONE UEM over DCOM provides functionality for mobile certificate management. With direct CA integration, unlike with regular SCEP, there are no exposed endpoints of your Public Key Infrastructure (PKI) left open and vulnerable to attack. Plus, it offers additional features such as the ability to issue multiple certificate templates and revoke certificates from the CA by including them in a Certificate Revocation List (CRL).

For on-premises, Workspace ONE UEM can directly communicate to your CA within the internal network. For SaaS, you can use the AirWatch Cloud Connector to securely connect Workspace ONE UEM to your CA.

  1. The device enrolls with Workspace ONE UEM.

  2. Workspace ONE UEM sends a request to the CA to issue a certificate for the enrolled device using domain credentials.

  3. The CA issues a certificate for the enrolled device.

  4. The CA sends the device's certificate to Workspace ONE UEM.

  5. Workspace ONE UEM generates a configuration profile for the enrolled device and attaches the certificate to the profile.

  6. Workspace ONE UEM sends the configuration profile and the certificate to the enrolled device.

Device to CA with UEM as Delegate

Workspace ONE UEM can act as a delegate between the device and the CA, sending certificate transactions between the device and the CA over NDES/SCEP. This integration with NDES/SCEP and the device positions Workspace ONE UEM to never come in contact with the device certificate. Workspace ONE UEM only acts as a delegate so that the device receives its certificate from the CA.

This is the typical NDES/SCEP configuration currently found in most existing implementations that include Wi-Fi access points, routers, and other network equipment. In this scenario, Workspace ONE UEM is not given the responsibility of managing the device certificate. Also, the token is transmitted to the device over the Internet so there is an added risk that an unauthorized person can intercept the certificate.

  1. The device enrolls with Workspace ONE UEM.

  2. Workspace ONE UEM sends informaton using NDES/SCEP to the device.

  3. The NDES/SCEP server authorizes approval and sends Workspace ONE UEM a token for the enrolled device.

  4. Workspace ONE UEM notifies the enrolled device about the approval, the token, and server information.

  5. The enrolled device communicates directly with the NDES/SCEP server because it has approval.

  6. The NDES/SCEP server requests that the CA generates a certificate for the enrolled device.

  7. The CA generates a certificate and returns it to the NDES/SCEP server.

  8. The NDES/SCEP service sends the certificate to the device.

Workspace ONE UEM SCEP Proxy Between Device and CA

If you do not want to expose your NDES/SCEP endpoints to external devices, you can use the Workspace ONE UEM SCEP Proxy. The SCEP Proxy allows Workspace ONE UEM to act as an intermediary between the NDES/SCEP server and the device. It forwards and returns requests and responses between the two components. Workspace ONE UEM does not have the NDES/SCEP server's private key, so it cannot parse requests from devices.

For on-premises, Workspace ONE UEM can proxy to a CA on the same or different domains. For SaaS, use the AirWatch Cloud Connector to securely connect Workspace ONE UEM to your CA.

  1. The device enrolls with Workspace ONE UEM.

  2. Workspace ONE UEM sends information to the NDES/SCEP server to request that the CA issue a certificate to the enrolled device.

  3. The NDES/SCEP service requests that the CA generate a certificate for the enrolled device.

  4. The CA generates a certificate and sends it to the NDES/SCEP service.

  5. The NDES/SCEP server receives the certificate and sends it to Workspace ONE UEM.

  6. Workspace ONE UEM generates a configuration profile for the enrolled device and attaches the certificate to the profile.

  7. Workspace ONE UEM sends the configuration profile and the certificate to the enrolled device.