Supported protocols for MDM automation in VMware Workspace ONE
When using VMware Workspace ONE as an MDM provider, the enrollment automation supports the following protocols.
- The PKI protocol for Entrust MDMWS PKCS #12 enrollment.
- The Simple Certificate Enrollment Protocol (SCEP).
See below the profiles of the mdmws group supported by each protocol.
| Profile | PKI | SCEP |
|---|---|---|
| mdmws-digital-signature | ❌ | ✔ |
| mdmws-digital-signature-key-encipherment | ❌ | ✔ |
| mdmws-digital-signature-key-encipherment-clientauth | ❌ | ✔ |
| mdmws-key-encipherment | ❌ | ✔ |
| mdmws-non-repudiation | ❌ | ✔ |
| mdmws-p12-digital-signature | ✔ | ✔ |
| mdmws-p12-digital-signature-key-encipherment | ✔ | ✔ |
| mdmws-p12-digital-signature-key-encipherment-clientauth | ✔ | ✔ |
| mdmws-p12-key-encipherment | ✔ | ✔ |
| mdmws-p12-non-repudiation | ✔ | ✔ |
See below for additional protocol differences.
Private key
Key generation has the following protocol-related differences.
- With PKI:
- The Entrust CA generates the private key and delivers it to Workspace One as a PKCS #12.
- Workspace One delivers the resulting private key and certificate to the managed device.
- With SCEP, the managed device generates the private key along with the CSR.
Certificate information
Certificate information has the following protocol-related differences.
- With PKI, Entrust CA provides certificate information using the MDMWS API.
- With SCEP, the certificate information is in the CSR.
CSR challenge passwords
CSR challenge passwords have the following protocol-related differences.
- The PKI protocol does not use CSR challenge passwords.
- With SCEP:
- Workspace One requests challenge passwords from the MDMWS API of the Entrust CA.
- Workspace One provides the challenge password to the managed devices.
- The devices embed the challenge password into the CSR for SCEP enrollment.
Enrollment request
Enrollment requests have the following protocol-related differences.
- With the PKI protocol, Workspace One submits the enrollment requests.
- With the SCEP protocol:
- The managed devices submit the enrollment requests to the SCEP endpoint of the Entrust CA.
- Optionally, you can use Workspace One as an SCEP Proxy to perform SCEP against Workspace One instead of the Entrust CA.
Support status
The PKI protocol is fully supported. However, support for the SCEP protocol is temporarily broken because Workspace One:
- Sends an incorrect SCEP URL to the managed devices
- Ignores the RDN Format custom variables selected when Configuring Workspace ONE in PKIaaS.
ℹ Entrust is working with Workspace One to fix these issues.