Choosing profiles to send client certificates to devices and apps
You can use different types of profiles to send client certificates to devices and
BlackBerry Dynamicsapps. The type of profile that you choose depends on how your organization uses certificates and the types of devices that your organization supports. Consider the following guidelines:
- To use SCEP profiles, you must have a CA that supports SCEP.
- If you have set up a connection betweenBlackBerry UEMand your organization's PKI solution, use user credential profiles to send certificates to devices. You can connect directly to anEntrustCA orOpenTrustCA. You can also use aBlackBerry DynamicsPKI connector to connect to a CA server to enroll certificates forBlackBerry Dynamicsenabled devices.
- To use certificates withBlackBerry Dynamicsapps, you must use a user credential profile or add the certificates to individual user accounts.
- To allow users to upload certificates that they can use to connect to your workWi-Finetwork, work VPN, and work mail server, use a user credential profile.
- To use client certificates forWi-Fi, VPN, and mail server authentication, you must associate the certificate profile with aWi-Fi, VPN, or email profile.Android Enterprisedevices don't support using certificates sent to devices byBlackBerry UEMforWi-Fiauthentication.
- Shared certificate profiles and certificates that you add to user accounts do not keep the private key private because you must have access to the private key. Connecting to a CA using SCEP or user credential profiles is more secure because the private key is sent only to the device that the certificate was issued to.