Configuring MDM automation in VMware Workspace ONE

When using VMware Workspace ONE as MDM provider, the enrollment automation supports the following protocols.

See below the MDMWS certificate profiles supported by each protocol.

Profile	PKI	SCEP
mdmws-digital-signature
mdmws-digital-signature-key-encipherment
mdmws-digital-signature-key-encipherment-clientauth
mdmws-key-encipherment
mdmws-non-repudiation
mdmws-p12-digital-signature
mdmws-p12-digital-signature-key-encipherment
mdmws-p12-digital-signature-key-encipherment-clientauth
mdmws-p12-key-encipherment
mdmws-p12-non-repudiation

See below for additional protocol differences.

	PKI	SCEP
Private key	Generated by the Entrust CA and delivered to Workspace One as a PKCS #12. Workspace One delivers the resulting private key and certificate to the managed device.	Generated along with the CSR by the managed device
Certificate information	Provided to the Entrust CA using the MDMWS API.	Contained within the CSR.
CSR challenge passwords	Not used.	Workspace One: Requests challenge passwords from the MDMWS API of the Entrust CA. Provides the challenge password to the managed devices. The devices embed the challenge password into the CSR for SCEP enrollment.
Enrollment request	Submitted by Workspace One.	Submitted by the managed devices to the SCEP endpoint of the Entrust CA. Optionally, you can use Workspace One as SCEP Proxy to perform SCEP against Workspace One instead of the Entrust CA.
Support status	Fully supported	Temporarily broken because Workspace One: Sends an incorrect SCEP URL to the managed devices Ignores the custom variables of the RDN Format selected when Adding digital identifiers to a Certificate Enrollment Gateway for MDM. We are working with Workspace One to fix this.

Follow the steps below to automate MDM enrollment in VMware Workspace ONE.