In Certificate Enrollment Gateway, MDM Web Service (MDMWS) enrollment enrolls a user with a PKCS #12 digital ID. To allow PKCS #12 enrollment through the MDMWS protocol, the client policy assigned to user’s role must allow PKCS #12 enrollment. To allow PKCS #12 enrollment, the user’s client policy must have the Allow PKCS#12 Export and All Exportable policy attributes.

The following procedures describe how to create a new client policy and role that allows PKCS #12 export.

To create a client policy in Security Manager for MDMWS P12 enrollment

  1. Log in to Security Manager Administration.
  2. In the tree view, select Security Policy > User Policies > End User Policy.
  3. Select User Policies > Selected User Policy > Copy. The Copy User Policy dialog box appears.
  4. In the Label field, enter End User P12 Policy.
  5. In the Common name field, enter End User P12 Policy.
  6. Under Policy Attributes:
    • Select Allow PKCS#12 Export.
    • Deselect All exportable.
  7. Click Apply.
  8. If prompted, authorize the operation.

To create a role in Security Manager for MDMWS P12 enrollment

  1. Log in to Security Manager Administration.
  2. In the tree view, select Security Policy > Roles > End User.
  3. Select User Policies > Selected Role > Copy. A copy of the role appears at the bottom of the list of roles in the tree view, and the new role’s properties appear in the right pane.
  4. In the Unique name field, enter End User P12.
  5. In the User Policy drop-down list, select End User P12 Policy.
  6. Click Apply.
  7. If prompted, authorize the operation.

In CA Gateway, the CA profile that will be used by Certificate Enrollment Gateway for MDMWS enrollment must assign this role to end users. The XAP administrator profile used to manage the CA profile must also have permissions to administer this role.