Choosing profiles to send client certificates to devices and apps

You can use different types of profiles to send client certificates to devices and

BlackBerry Dynamics

apps. The type of profile that you choose depends on how your organization uses certificates and the types of devices that your organization supports. Consider the following guidelines:

To use SCEP profiles, you must have a CA that supports SCEP.

If you have set up a connection between

BlackBerry UEM

and your organization's PKI solution, use user credential profiles to send certificates to devices. You can connect directly to an

Entrust

CA or

OpenTrust

CA. You can also use a

BlackBerry Dynamics

PKI connector to connect to a CA server to enroll certificates for

BlackBerry Dynamics

enabled devices.

To use certificates with

BlackBerry Dynamics

apps, you must use a user credential profile or add the certificates to individual user accounts.

To allow users to upload certificates that they can use to connect to your work

Wi-Fi

network, work VPN, and work mail server, use a user credential profile.

To use client certificates for

Wi-Fi

, VPN, and mail server authentication, you must associate the certificate profile with a

Wi-Fi

, VPN, or email profile.

Android Enterprise

devices don't support using certificates sent to devices by

BlackBerry UEM

for

Wi-Fi

authentication.

Shared certificate profiles and certificates that you add to user accounts do not keep the private key private because you must have access to the private key. Connecting to a CA using SCEP or user credential profiles is more secure because the private key is sent only to the device that the certificate was issued to.

Section:

Sending certificates to devices and apps using profiles