Sending certificates to devices and apps using profiles Skip Navigation

Sending certificates to devices and apps using profiles

You can send certificates to devices and apps using the following profiles:
Profile
Description
CA certificate
CA certificate profiles specify a CA certificate that devices and
BlackBerry Dynamics
apps can use to trust the identity associated with any client or server certificate that has been signed by that CA.
User credential
User credential profiles send certificates to devices in the following ways:
  • Specify a connection to your organization's PKI software to send client certificates to devices and
    BlackBerry Dynamics
    apps.
  • Manually upload certificates in
    BlackBerry UEM
    and, in an on-premises environment, allow users to upload certificates using
    BlackBerry UEM Self-Service
    .
  • Allow
    BlackBerry Dynamics
    apps on
    Android
    devices and the
    BlackBerry Access
    app on
    macOS
    and
    Windows 10
    devices to use certificates from the device native keystore.
  • Allow
    BlackBerry Dynamics
    apps to import certificates from other app-based PKI solutions such as
    Purebred
    .
SCEP
SCEP profiles specify how devices and
BlackBerry Dynamics
apps connect to, and obtain client certificates from, your organization's CA using a SCEP service.
Shared certificate
Shared certificate profiles specify a client certificate that
UEM
sends to
iOS
and
Android
devices.
UEM
sends the same client certificate to every user that the profile is assigned to.
For
iOS
and
Android
devices, you can also send a client certificate to a device by adding the certificate directly to a user account. For more information, see Add and manage a client certificate for a user account.
For
iOS
and
Android
devices, if your organization uses certificates for S/MIME, you can also use profiles to allow devices to get recipient public keys and check certificate status. For more information, see Extending email security using S/MIME.
For
BlackBerry Dynamics
apps to use certificates sent by profiles, you must select "Allow
BlackBerry Dynamics
apps to use user certificates, SCEP profiles, and user credential profiles" for the specific app on the
App
screen,
Settings > BlackBerry Dynamics
tab.
The type of profile that you choose depends on how your organization uses certificates and the types of devices that your organization supports. Consider the following guidelines:
  • To use SCEP profiles, you must have a CA that supports SCEP.
  • If you have set up a connection between
    UEM
    and your organization's PKI solution, use user credential profiles to send certificates to devices. You can connect directly to an
    Entrust
    CA or
    OpenTrust
    CA. You can also use a
    BlackBerry Dynamics
    PKI connector to connect to a CA server to enroll certificates for
    BlackBerry Dynamics
    enabled devices.
  • To use certificates with
    BlackBerry Dynamics
    apps, you must use a user credential profile or add the certificates to individual user accounts.
  • To allow users to upload certificates that they can use to connect to your work
    Wi-Fi
    network, work VPN, and work mail server, use a user credential profile.
  • To use client certificates for
    Wi-Fi
    , VPN, and mail server authentication, you must associate the certificate profile with a
    Wi-Fi
    , VPN, or email profile.
  • Android Enterprise
    devices don't support using certificates sent to devices by
    UEM
    for
    Wi-Fi
    authentication.
  • Shared certificate profiles and certificates that you add to user accounts do not keep the private key private because you must have access to the private key. Connecting to a CA using SCEP or user credential profiles is more secure because the private key is sent only to the device that the certificate was issued to.