The Workspace ONE Intelligent Hub for iOS collects and delivers managed device information to the UEM console. Because this information may contain sensitive data, Workspace ONE UEM takes extensive measures to ensure that the information is encrypted and that it originates from a trusted source.
Workspace ONE UEM uses a unique certificate pair to sign and encrypt all communication between Workspace ONE Intelligent Hub for iOS and the server. These certificates also allow the server to verify the identity and authenticity of each device enrolled in Workspace ONE UEM. This overview details the benefits and necessities of both security enhancements.
Understanding the Certificate Exchange
Before any data is transferred, the Workspace ONE Intelligent Hub application and the server trade personalized certificates. This relationship is established when Workspace ONE Intelligent Hub for iOS checks into the Workspace ONE UEM server for the first time during enrollment.
- Workspace ONE Intelligent Hub for iOS communicates with the Workspace ONE UEM server to obtain the server’s certificate public key. Both Workspace ONE Intelligent Hub for iOS and the Workspace ONE UEM server trust the public key of the Workspace ONE UEM Root certificate, which verifies the authenticity of all certificates involved in the enrollment exchange.
- Workspace ONE Intelligent Hub for iOS validates the server’s certificate against the Workspace ONE UEM Root CA certificate.
- Workspace ONE Intelligent Hub for iOS sends a unique certificate public key to the Workspace ONE UEM server.
- The Workspace ONE UEM server associates the Workspace ONE Intelligent Hub’s certificate with that device in the database.
Securing the Data in Transit
After the initial exchange of certificates, all data sent to the UEM console is encrypted from that point forward. The following table shows the two certificates involved and their responsibility in the transaction.
|Hub Certificate||Server Certificate|
|Workspace ONE Intelligent Hub||Sign the Data||Encrypt the Data|
|Workspace ONE UEM Server||Verify the Data Origin||Decrypt the Data|
APIs and Application Functionality
There are two categories of APIs that Workspace ONE UEM uses with iOS devices for management and tracking capabilities:
- Over-the-Air (OTA) MDM APIs are activated through the enrollment process regardless if Workspace ONE Intelligent Hub for iOS is used or not.
- Native iOS SDK APIs are available to any third-party application, including Workspace ONE Intelligent Hub applications and any other application using the Workspace ONE UEM Software Development Kit (SDK).
The Workspace ONE Intelligent Hub for iOS acts as the broker application that integrates with the Native iOS SDK API layer of management. When using Workspace ONE Intelligent Hub for iOS combined with the Workspace ONE UEM SDK for iOS, administrators can take advantage of more MDM features for applications, more so than what is offered in the Over-the-Air (OTA) MDM API layer.