Utilizing Credential Escrow Gateway (CEG) through VMware Workspace ONE UEM simplifies the distribution of SMIME certificates to iOS and Android devices by not uploading the SMIME certificate to Workspace ONE Unified Endpoint Management. It provides automation of the SMIME delivery, with end-to-end public key encryption for consumption using native, and 3rd party email clients.

Note: To use the Credential Escrow Gateway, you must contact your VMware account representative. Your account representative will engage the VMware Professional Services Office and Product Management.


The following prerequisites must be met to use the Credential Escrow Gateway with VMware Workspace ONE UEM.

  • Credential Escrow Gateway 1.3.0 or later
  • For single account
    • Workspace ONE UEM 2007 or later
    • Android or iOS Boxer 5.19 or later
  • For multi-managed account
    • Workspace ONE UEM 2008 or later
    • Android of iOS Boxer 5.21 or later
  • Windows 10 devices should be on 1909 build 8363.693 or later
  • A webhook that subscribes to event notification and update certificate provider with DeviceUUID and EnrollmentUserUUID.
  • A Certificate Provider receives Event Notifications from webhook and forwarding the information to Certificate Authority to generate SMIME cert for a specific user and send that certificate to escrow gateway. For more details, see Certificate Provider design specification. You are responsible for building a webhook and a certificate provider.
  • Workspace ONE UEM 2010 or later and Credential Escrow Gateway 1.4.0 supports event-based driven certificate checks by delivering escrow profiles in a faster manner based on enrollment date of the device.
  • If you are on Workspace ONE UEM 2009 and below, then the cert status check runs every four hours, with a maximum retry count of 75. If the cert provider fails to upload after 12.5 days, then the profile install fails and requires a manual re-install.
  • Turn on encryption using a Smart Group and a profile for existing devices ahead of time.