Sending certificates to devices and apps using profiles
You can send certificates to devices and apps using the following profiles:
Profile | Description |
---|---|
CA certificate | CA certificate profiles specify a CA certificate that devices and BlackBerry
Dynamics apps can use to trust the identity associated with any client or server certificate that has been signed by that CA. |
User credential | User credential profiles send certificates to devices in the following ways:
|
User credential Intercede | User credential Intercede profiles can be configured and assigned to enable a user to use the UEM Client to activate their device with Intercede MyID and download derived credentials certificates from MyID to the BlackBerry
Dynamics keystore, or to the BlackBerry
Dynamics keystore and the device's native key chain. See Use Intercede MyID to provide derived credentials certificates to devices. |
SCEP | SCEP profiles specify how devices and BlackBerry
Dynamics apps connect to, and obtain client certificates from, your organization's CA using a SCEP service. |
Shared certificate | Shared certificate profiles specify a client certificate that UEM sends to iOS and Android devices. UEM sends the same client certificate to every user that the profile is assigned to. |
For
iOS
and Android
devices, you can also send a client certificate to a device by adding the certificate directly to a user account. For more information, see Add and manage a client certificate for a user account.For
iOS
and Android
devices, if your organization uses certificates for S/MIME, you can also use profiles to allow devices to get recipient public keys and check certificate status. For more information, see Extending email security using S/MIME.For
BlackBerry
Dynamics
apps to use certificates sent by profiles, you must select "Allow BlackBerry
Dynamics
apps to use user certificates, SCEP profiles, and user credential profiles" for the specific app on the App
screen, Settings > BlackBerry Dynamics
tab. The type of profile that you choose depends on how your organization uses certificates and the types of devices that your organization supports. Consider the following guidelines:
- To use SCEP profiles, you must have a CA that supports SCEP.
- If you have set up a connection betweenUEMand your organization's PKI solution, use user credential profiles to send certificates to devices. You can connect directly to anEntrustCA orOpenTrustCA. You can also use aBlackBerry DynamicsPKI connector to connect to a CA server to enroll certificates forBlackBerry Dynamicsenabled devices.
- To use certificates withBlackBerry Dynamicsapps, you must use a user credential profile or add the certificates to individual user accounts.
- To allow users to upload certificates that they can use to connect to your workWi-Finetwork, work VPN, and work mail server, use a user credential profile.
- To use client certificates forWi-Fi, VPN, and mail server authentication, you must associate the certificate profile with aWi-Fi, VPN, or email profile.
- Android Enterprisedevices don't support using certificates sent to devices byUEMforWi-Fiauthentication.
- Shared certificate profiles and certificates that you add to user accounts do not keep the private key private because you must have access to the private key. Connecting to a CA using SCEP or user credential profiles is more secure because the private key is sent only to the device that the certificate was issued to.