Creating Credential Escrow Gateway profile Workspace ONE UEM gives the ability to send the skeleton profile to Workspace ONE UEM Credential Escrow Gateway to encrypt. This profile is encrypted, and only end-user devices can decrypt it using the private key. Learn more about how easy it is to create a profile with Credential Escrow Gateway.

Creating a Profile with Escrow Credentials

  1. From the Profile page, click Add Profile and the desired platform

  2. On the General Payload page give the profile a name and assign it to a smartgroup

  3. On the Credentials Payload page click on Escrow Gateway and select Signing Certificate

  4. To Add an Encryption Cert, click on the + button to add an additional credential payload and select Escrow Gateway and then Encryption Certificate.

  5. Add Exchange ActiveSync details if needed and click save and publish to create the profile and assign to device.

  6. During device enrollment, UEM sends a skeleton profile with placeholders for escrowed credentials to CEG via ACC.

    This skeleton profile is identified by a combination of the user and device UUID. In the meantime, UEM fires a device enrollment event to the webhook defined by customer. The event's payload contains the user and device UUID.

  7. The webhook should trigger customer's Certificate Provider to upload the required S/MIME certificates for the newly created profile.

  8. See the next section about how to upload certificates.


    Credential Escrow Gateway does not demand a particular order of profile creation and certificate upload; any of them can be done first.