Utilizing Credential Escrow Gateway (CEG) through VMware Workspace ONE UEM simplifies the distribution of SMIME certificates to iOS and Android devices by not uploading the SMIME certificate to Workspace ONE Unified Endpoint Management. It provides automation of the SMIME delivery, with end-to-end public key encryption for consumption using native, and 3rd party email clients.


Utilizing Cedential Escrow Gateway with VMware Workspace ONE UEM, the following prerequisites must be met.

  • Credential Escrow Gateway 1.3.0+

  • For single account

    • Workspace ONE UEM 2007+

    • Android or iOS Boxer 5.19+

  • For multi-managed account

    • Workspace ONE UEM 2008+

    • Android of iOS Boxer 5.21+

  • Windows 10 devices should be on 1909 build 8363.693 and above

  • A webhook that will subscribe to event notification and update certificate provider with DeviceUUID and EnrollmentUserUUID.

  • Certificate Provider will listen to Event Notifications from webhook and forwarding the information to Certificate Authority to generate SMIME cert for a specific user and send that certificate to escrow gateway. See Certificate Provider design specification for more details.Note: Customer is responsible to build webhook and certificate provider.

  • Workspace ONE UEM 2010+ and Credential Escrow Gateway 1.4.0 supports event-based driven certificate check by delivering escrow profiles in a faster manner based on enrollment date of the device.

  • If you are on Workspace ONE UEM 2009 and below, the cert status check runs every 4 hours, with a maximum retry count of 75. If the cert provider fails to upload after 12.5 days, the profile install fails and requires a manual re-install.

  • Encryption needs to be turned on using a Smart Group and a profile for existing devices ahead of time.