When using VMware Workspace ONE as MDM provider, the enrollment automation supports the following protocols.

  • The PKI protocol for Entrust MDMWS PKCS #12 enrollment. 
  • The Simple Certificate Enrollment Protocol (SCEP).

See below the MDMWS certificate profiles supported by each protocol.

Profile

PKI

SCEP

mdmws-digital-signature

(error)

(tick)

mdmws-digital-signature-key-encipherment

(error)

(tick)

mdmws-digital-signature-key-encipherment-clientauth

(error)

(tick)

mdmws-key-encipherment

(error)

(tick)

mdmws-non-repudiation

(error)

(tick)

mdmws-p12-digital-signature

(tick)

(tick)

mdmws-p12-digital-signature-key-encipherment

(tick)

(tick)

mdmws-p12-digital-signature-key-encipherment-clientauth

(tick)

(tick)

mdmws-p12-key-encipherment

(tick)

(tick)

mdmws-p12-non-repudiation

(tick)

(tick)

See below for additional protocol differences. 


PKI

SCEP

Private key

Generated by the Entrust CA and delivered to Workspace One as a PKCS #12. Workspace One delivers the resulting private key and certificate to the managed device.

Generated along with the CSR by the managed device

Certificate information

Provided to the Entrust CA using the MDMWS API.

Contained within the CSR.

CSR challenge passwords

Not used.

Workspace One:

  1. Requests challenge passwords from the MDMWS API of the Entrust CA.
  2. Provides the challenge password to the managed devices.

The devices embed the challenge password into the CSR for SCEP enrollment.

Enrollment request

Submitted by Workspace One.

Submitted by the managed devices to the SCEP endpoint of the Entrust CA. Optionally, you can use Workspace One as SCEP Proxy to perform SCEP against Workspace One instead of the Entrust CA. 

Support status

Fully supported

Temporarily broken because Workspace One:

We are working with Workspace One to fix this.

Follow the steps below to automate MDM enrollment in VMware Workspace ONE.