Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.19
  3. Managing secure connections
  4. Using PKI certificates with devices or apps
  5. Sending certificates to devices and apps using profiles

Sending certificates to devices and apps using profiles

You can send certificates to devices and apps using the following profiles:
Profile
Description
CA certificate
CA certificate profiles specify a CA certificate that devices and
BlackBerry Dynamics
 apps can use to trust the identity associated with any client or server certificate that has been signed by that CA.
User credential
User credential profiles send certificates to devices in the following ways:
  • Specify a connection to your organization's PKI software to send client certificates to devices and
    BlackBerry Dynamics
     apps.
  • Manually upload certificates in
    BlackBerry UEM
     and, in an on-premises environment, allow users to upload certificates using
    BlackBerry UEM Self-Service
    .
  • Allow
    BlackBerry Dynamics
     apps on
    Android
     devices and the
    BlackBerry Access
     app on
    macOS
     and
    Windows 10
     devices to use certificates from the device native keystore.
  • Allow
    BlackBerry Dynamics
     apps to import certificates from other app-based PKI solutions such as
    Purebred
    .
SCEP
SCEP profiles specify how devices and
BlackBerry Dynamics
 apps connect to, and obtain client certificates from, your organization's CA using a SCEP service.
Shared certificate
Shared certificate profiles specify a client certificate that
UEM
 sends to
iOS
 and
Android
 devices.
UEM
 sends the same client certificate to every user that the profile is assigned to.
For
iOS
 and
Android
 devices, you can also send a client certificate to a device by adding the certificate directly to a user account. For more information, see Add and manage a client certificate for a user account.
For
iOS
 and
Android
 devices, if your organization uses certificates for S/MIME, you can also use profiles to allow devices to get recipient public keys and check certificate status. For more information, see Extending email security using S/MIME.
For
BlackBerry Dynamics
 apps to use certificates sent by profiles, you must select "Allow
BlackBerry Dynamics
 apps to use user certificates, SCEP profiles, and user credential profiles" for the specific app on the
App
 screen,
Settings > BlackBerry Dynamics
 tab.
The type of profile that you choose depends on how your organization uses certificates and the types of devices that your organization supports. Consider the following guidelines:
  • To use SCEP profiles, you must have a CA that supports SCEP.
  • If you have set up a connection between
    UEM
     and your organization's PKI solution, use user credential profiles to send certificates to devices. You can connect directly to an
    Entrust
     CA or
    OpenTrust
     CA. You can also use a
    BlackBerry Dynamics
     PKI connector to connect to a CA server to enroll certificates for
    BlackBerry Dynamics
     enabled devices.
  • To use certificates with
    BlackBerry Dynamics
     apps, you must use a user credential profile or add the certificates to individual user accounts.
  • To allow users to upload certificates that they can use to connect to your work
    Wi-Fi
     network, work VPN, and work mail server, use a user credential profile.
  • To use client certificates for
    Wi-Fi
    , VPN, and mail server authentication, you must associate the certificate profile with a
    Wi-Fi
    , VPN, or email profile.
  • Android Enterprise
     devices don't support using certificates sent to devices by
    UEM
     for
    Wi-Fi
     authentication.
  • Shared certificate profiles and certificates that you add to user accounts do not keep the private key private because you must have access to the private key. Connecting to a CA using SCEP or user credential profiles is more secure because the private key is sent only to the device that the certificate was issued to.