A Credentials profile pushes certificates to devices for use in authentication. With Workspace ONE UEM, you can configure credentials for personal, intermediate, trusted root, trusted publisher, and trusted people certificate stores. Learn how to configure a credentials profile to enable authentication for your Windows 10 devices.

Even with strong passcodes and other restrictions, your infrastructure remains vulnerable to brute force, dictionary attacks, and employee error. For greater security, you can implement digital certificates to protect corporate assets. To use certificates in this way, you must first configure a credentials payload with a certificate authority, and then configure your Wi-Fi and VPN payloads. Each of these payloads has settings for associating the certificate authority defined in the credentials payload.

The credentials profile also allows you to push S/MIME certificates to devices. These certificates are uploaded under each user account and controlled by the credentials profile.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.
  2. Select Windows and then select Windows Desktop.
  3. Select User Profile or Device Profile.
  4. Configure the profile General settings.
  5. Select the Credentials payload and configure the following settings:
    Settings Descriptions
    Credential Source

    Select the credential source as either an Upload, a Defined Certificate Authority, or User Certificate

    The remaining payload options are source-dependent.

    • If you select Upload, you must upload a new certificate.
    • If you select Defined Certificate Authority, you must choose a predefined certificate authority and Template.
    • If you select User Certificate, you must select how the S/MIME certificate is used.
    Upload

    Select to navigate to the desired credential certificate file and upload it to the Workspace ONE UEM console.

    This setting displays when Upload is selected as the Credential Source.

    Certificate Authority

    Use the drop-down menu to select a predefined certificate authority.

    This setting displays when Defined Certificate Authority is selected as the Credential Source.

    Certificate Template

    Use the drop-down menu to select a predefined certificate template specific to the selected certificate authority.

    This setting displays when Defined Certificate Authority is selected as the Credential Source.

    Export Private Key

    Select Allow to let end users export certificates using Windows Certificate Manager.

    Select Don't Allow to prohibit end users from exporting certificates.

    Key Location

    Select the location for the certificate private key:

    • TPM If Present – Select to store the private key on a Trusted Platform Module if one is present on the device, otherwise store it in the OS.
    • TPM Required – Select to store the private key on a Trusted Platform Module. If a TPM is not present, the certificate does not install and an error displays on the device.
    • Software – Select to store the private key in the device OS.
    • Passport – Select to save the private key within the Microsoft Passport. This option requires the Azure AD integration.
    Certificate Store

    Select the appropriate certificate store for the credential to reside in on the device:

    • Personal – Select to store personal certificates. Personal certificates require the Workspace ONE Intelligent Hub on the device or using the SCEP payload.

    • Intermediate – Select to store certificates from Intermediate Certificate Authorities.
    • Trusted Root – Select to store certificates from Trusted Certificate Authorities and root certificates from your organization and Microsoft.
    • Trusted Publisher – Select to store certificates from Trusted Certificates Authorities trusted by software restriction policies.
    • Trusted People – Select to store certificates from trusted people or end entities that are explicitly trusted. Often these certificates are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook.
    Store Location Select User or Machine to define where the certificate is located.
    S/MIME Select whether the S/MIME certificate is for encryption or signing.

    This option only displays if Credential Source is set to User Certificate.

  6. Select Save & Publish to push the profile to devices.