Certificates help protect your infrastructure from brute force attacks, dictionary attacks, and employee error. If you use certificates, integrate your certificate authority with VMware Workspace ONE® UEM powered by AirWatch for increased stability, security, and authentication.
Find out what Microsoft certificate authority (CA) models Workspace ONE UEM supports. View a high-level comparison of each CA type and consider which configuration might work best for your deployment. - Available Microsoft Certificate Authority Models - Comparison Matrix by Protocol - Workspace ONE UEM Directly to CA - Device to CA with UEM as Delegate - Workspace ONE UEM SCEP Proxy Between Device and CA
Workspace ONE UEM offers several deployment options for Microsoft certificate authorities. - Workspace ONE UEM to the CA- This model uses the DCOM protocol. Workspace ONE UEM communicates directly with the Microsoft CA or through the AirWatch Cloud Connector to the CA. - Mobile Devices to the CA - This model uses the NDES (a Microsoft proprietary version of SCEP) or SCEP protocol. Workspace ONE UEM only delegates certificate transactions between the device and the Microsoft CA. - Workspace ONE UEM SCEP Proxy - This model uses the NDES or SCEP protocol. Workspace ONE UEM is the proxy that sends certificate transactions between the device and the CA endpoint. The NDES/SCEP endpoint is not exposed to the Internet.
|Considerations||DCOM Protocol: Workspace ONE UEM to CA||NDES/SCEP Protocol: Workspace ONE UEM as Delegate||NDES/SCEP Protocol: Workspace ONE UEM SCEP Proxy|
|Key Benefit||You can automate the certificate lifecycle management (certificate revocation and renewal).||Each device generates and has its own key pair.||The NDES/SCEP endpoint is not exposed to the Internet.|
|Architecture||Workspace ONE UEM servers must have DCOM access to the CA.||NDES/SCEP server must be externally available to the Internet.||Workspace ONE UEM must be able to reach the NDES/SCEP server.|
|Key Pair Generation||CA server handles the key pair generation.||Device handles the key pair generation.||Device handles the key pair generation.|
DCOM Port 135: Microsoft DCOM Service Control Manager
DCOM Ports 1025–5000: Default ports for DCOM processes but you can configure the port range to any non-standard ports.
|HTTP/HTTPS 443 or 80||HTTP/HTTPS 443 or 80|
|Certificate Template||For example, a single CA supports Wi-Fi, VPN, and email certificates.||For example, Wi-Fi, VPN, and email certificates require three separate templates.||Single template per instance.
For example, Wi-Fi, VPN, and email certificates require three separate templates.
|Certificate Renewal||Automatic renewal available.||SCEP - Requires manual renewal by profile repush.
NDES - Automatic renewal available.
|SCEP - Requires manual renewal by profile repush.
NDES - Automatic renewal available.
|Certificate Revocation||Supported||Not supported||Not supported|
Direct CA integration with Workspace ONE UEM over DCOM provides functionality for mobile certificate management. With direct CA integration, unlike with regular SCEP, there are no exposed endpoints of your Public Key Infrastructure (PKI) left open and vulnerable to attack. Plus, it offers additional features such as the ability to issue multiple certificate templates and revoke certificates from the CA by including them in a Certificate Revocation List (CRL).
For on-premises, Workspace ONE UEM can directly communicate to your CA within the internal network. For SaaS, you can use the AirWatch Cloud Connector to securely connect Workspace ONE UEM to your CA.
Workspace ONE UEM can act as a delegate between the device and the CA, sending certificate transactions between the device and the CA over NDES/SCEP. This integration with NDES/SCEP and the device positions Workspace ONE UEM to never come in contact with the device certificate. Workspace ONE UEM only acts as a delegate so that the device receives its certificate from the CA.
This is the typical NDES/SCEP configuration currently found in most existing implementations that include Wi-Fi access points, routers, and other network equipment. In this scenario, Workspace ONE UEM is not given the responsibility of managing the device certificate. Also, the token is transmitted to the device over the Internet so there is an added risk that an unauthorized person can intercept the certificate.
If you do not want to expose your NDES/SCEP endpoints to external devices, you can use the Workspace ONE UEM SCEP Proxy. The SCEP Proxy allows Workspace ONE UEM to act as an intermediary between the NDES/SCEP server and the device. It forwards and returns requests and responses between the two components. Workspace ONE UEM does not have the NDES/SCEP server’s private key, so it cannot parse requests from devices.
For on-premises, Workspace ONE UEM can proxy to a CA on the same or different domains. For SaaS, use the AirWatch Cloud Connector to securely connect Workspace ONE UEM to your CA.