AirWatch Glossary

The following glossary defines common terms with an emphasis on how they are relevant to AirWatch and enterprise mobility. 


Exchange ActiveSync (EAS) is a Microsoft technology that allows mobile users to access their Microsoft Exchange mailboxes and use -mail, calendar, contacts and tasks on their mobile devices. Administrators can control which devices have access to the Exchange Server. Exchange ActiveSync works with a wide variety of mobile operating systems, including Windows Mobile, Windows Phone, iOS, Android, Symbian and Palm WebOS.

AD (Active Directory)

Is Microsoft’s version of a directory service for Windows networks (and by far the most widely used in industry). It acts as the domain controller to manage all corporate users and authentication requests. This is an implementation of LDAP.


 This is the device side AirWatch App that offers advanced MDM functionality.


Android is a mobile operating system developed by Google.

API – (Application Programming Interface)

As opposed to standalone, closed software, there are features in inter-operable programs which can be accessed through a programming interface. AirWatch opens information to other software via an API, provided that the service is installed on the server.

APNS   (Apple Push Notification Service)

The Apple Push Notification Service (APNS) is a mobile service created by Apple that “pushes” notifications and alerts from applications on servers to iPhones, iPads and iPods.

APN (Access Point Network)

Private Telecom Data Network


A Windows Mobile device service that establishes a connection to the application server. In practice, it behaves like a web server once the connection (tunnel) is running. It can respond to remote queries.

Basic Authentication (Security Type)

A method of authenticating a user via a username/password in the database (as opposed to LDAP/AD, SAML, etc.)

BES (BlackBerry Enterprise Server)

BES is a middleware software package from Research in Motion (RIM) that syncs Emails, calendar information, and contacts between BlackBerry devices and messaging servers such as MS Exchange and Lotus Notes. It also connects BlackBerry devices with enterprise applications. BES includes a range of management and security features.

BYOD (Bring Your Own Device)

Refers to the "consumerization" of IT infrastructure and the growing trend of employees bringing their own devices to the workplace. 

C2DM (Cloud to Device Messaging)

An Android messaging service used to push messages to Android phones over the cloud.

CalDAV (Calendar Extensions)

An internet standard allowing a client to access scheduling information on a remote server.


An internet standard allowing a client to retrieve contact information from your company's CardDAV compliant contact server.

CAB file (Cabinet File)

A Cab file is a Window CE/WM software install package (A Cab file is used to install AirWatch on Windows Mobile devices). Similar to a ZIP file, a CAB is an archive of files with additional capabilities (eg. modify system settings).


A certificate establishes identity. It consists of the public key and information about the owner (name, URL…) and a signature, by a trusted third-party CA. Other certificates can be self-signed (this is called a “root” certificate) in which case any clients must install and trust the certificate – with no guarantee that the claimed owner identity is genuine.

Certificate Store

The database of certificates on a Windows system; there are three types: personal, computer, and service account; the computer certificate store is for all users of the system; the personal store is for only the currently logged in user; within each store the most important sections are the “Personal Certificates” and the “Trusted Root Certification Authorities”; placing a CA certificate in the “Trusted Root Certification Authorities” folder will cause the computer to trust any certificate issued by that CA that has not been revoked or expired; you can get to the certificate store via Start->run->mmc and choosing Add/Remove snap-in, then choosing Certificate Manager.

CA (Certificate Authority)

A certificate authority is a server that issues certificates; CA’s are typically arranged in a tree-like hierarchical structure with a root CA, intermediate CA’s, and issuing CA’s; the root CA issues a certificate to each intermediate CA, which issues a certificate to each issuing CA under it; issuing CA’s then issue certificates to end-users or devices.

CAS (Client Access Server)

One of the 5 server roles that can be used for Microsoft Exchange 2010. Supports the Outlook Web app, Exchange ActiveSync, and the IMAP4 and POP3 mail protocols. Accepts connections to the Exchange 2010 Server from various clients.


Computer Interface To Message Distribution (CIMD) is a proprietary short message service center protocol developed by Nokia for their SMSC. This is a supported protocol in AirWatch for the SMS gateway.

Client Certificate

A client certificate is a certificate on a client device that is presented to a server for authentication; this is any certificate with a private key residing on a mobile device; note that certificates installed on a device with a public key only are not client certificates – these are used to establish trust with a given CA (e.g. GoDaddy or VeriSign).


(Pronounced "command-lets") A .NET command used in Windows PowerShell. Cmdlets are self-descriptive, specialized functions that output their results as objects and can also act as recipients in a pipeline.

CRF (Change Request Form)

An internal document sent to Senior Consultants or Operations management, aiming at keeping changes under control regarding live and production environments. The form must be filled out in any modification scenario.

CSR – (Certificate Signing Request)

The AirWatch application (“Service Provider” in the terms used by Apple) relays a device certificate to a CA for signing, which will provide trust in this certificate for all entities that trust the CA. The CSR specs, the actual request, and the SCEP server response are handled with the SCEP protocol.

CRL (Certificate Revocation List)

A certificate revocation list is a list of certificates issued by a given CA that have been revoked; each CA must publish its CRL to a location accessible to any user or device that must verify the validity of a certificate; when a device attempts to authenticate to a server with a certificate, typically that server will request the CRL, the location of which is specified in the certificate, and verify that the certificate has not been revoked – if it has, access is denied; an example of a scenario where certificate revocation is useful is when the certificate has been installed on a device which is lost or stolen.

Device Encryption

Device encryption is the ability to encrypt selected files or all of the files on a device to protect them from unauthorized access if the device is lost or stolen. Typically the user must enter a PIN before the device will decrypt and display encrypted files.

Directory Services

Directory Services is a system that stores, organizes, and provides access to information in a directory (such as a directory of corporate users).

EAS (Exchange ActiveSync)

Protocol to enable devices to interface Over the air with an MS Exchange server for email, contacts, calendar synchronization.

EMM (Enterprise Mobility Management)

The new term to fully describe the market for the AirWatch solution. It is more encompassing than MDM, and should be thought of as the unification of MDM, MAM, MEM, MCM, etc. 

EULA (End User License Agreement)

A Software license agreement typically presented to users before they can install/use a software product.

HA (High Availability)

A design or certification model that guarantees availability of a service.

Hidden Network

Refers to a Wi-Fi network that does not broadcast its network ID (SSID). This means it will not show up on a list of available Wi-Fi networks for your device, but is still available if you know the name and password. Devices can be automatically configured for access to this type of network with a Wi-Fi profile in AirWatch. 

IMEI (International Mobile Equipment Identity)

A number used to identify and validate a mobile device as legitimate (not stolen). Phone carriers can block a device by the IMEI number.

Issuing CA

A CA that issues certificate to end users or devices.

Key Usage

The intended purpose for a certificate can be specified within the metadata when it is issued; there are a range of purposes that can be specified – common ones are signing, encryption, client authentication, and server authentication.


The Apple mobile operating system.

iPCU (iPhone configuration utility)

Apple software to create device profiles (provisioning, configuration, applications).

Issuing CA

A Certificate Authority that issues certificates to end-users or devices.

LDAP – (Lightweight Directory Access Protocol)

Is the industry standard protocol for accessing and maintaining directory services distributed over a network

MDM (Mobile Device Management)

What AirWatch does best!


An environment characteristic (such as pilot) that can be shared by multiple clients. Thanks to Location Groups and the user permission scheme in place, one client is given access to a strictly delimited space in the environment. They can only modify and manage devices in their own Location Group

NDES (Network Device Enrollment Service)

The name for Microsoft's implementation of the SCEP protocol.

Organization Group

AirWatch identifies users and establishes permissions using Organization groups, which tie a user to their corporate role. The Organization Group identifier is the Group ID, which is entered by the user during enrollment.

OTA (Over-the-Air)

Operations performed remotely and wirelessly on a device. AirWatch uses over the air provisioning and over the air configuration.


A passcode is a string of characters or numbers used to authenticate a user to a device.


This is a supported SMS Protocol for communicating messages to the SMSC.

PowerShell (Windows)

Windows PowerShell is a command-line shell that is a framework/scripting language used to automate tasks and execute commands for Windows administration.

Provisioning Profile

A provisioning profile is a file installed on mobile devices, especially iPhones, which allows specific in-house applications to be installed and executed. Administrators can use provisioning profiles to restrict applications to specific devices.

PKI – (Public Key Infrastructure)

a PKI is a public key infrastructure, so named because a certificate consists of a public and a private key; the term PKI encompasses an organizations entire certificate infrastructure, including root, intermediate, and issuing CA’s, as well as SCEP/NDES servers, certificate distribution servers (e.g. LDAP), and CRL servers.

Private Key

The sensitive portion of a certificate (.pfx file); private keys should be known only to the owner/subject of the certificate and are not distributed; any certificate used by a client/device to authenticate to a server must have a private key.

Proxy Server

The proxy server is the server the client interacts with when it makes a request for information/files from the server. The proxy server evaluates the request and can return either a cached response from the server or will alter the response as to protect the server security/identity.

Public Key

The portion of a certificate that is freely distributed (.cer file); public keys can be used to encrypt data that can then only be read by the owner of the certificate (who is assumed to be the only possessor of the corresponding private key)

RA (Registration Authority)

 A registration authority is a server that handles certificate enrollment requests from a device or user on behalf of an issuing CA;  the RA passes the request to the CA, which then issues the certificate and sends it to the RA; the RA then sends the newly issued certificate to the requesting user or device.


Console user accounts can take on one or more roles, which give them a specific set of permissions within the environment. A Global Administrator role at Global gives a user full control over the system. A role grants or restricts access to specific functionality in the console.

Root CA

The main CA in a PKI; all other CA’s certificates, as well as all end user or device certificates, can be traced back to this CA; the root CA certificate should be installed on any server or device that must trust certificates from this PKI.

Reverse Proxy

 A stand in for a web server.  It sits in between the server that handles the requests and handles the actual resource being requested

S/MIME (Secure/Multipurpose Internet Extension)

A standard for securing messages through public key encryption. Requires a key/certificate.

SAML (Security Assertion Markup Language)-Security Type

A web-based user authentication method that supports single sign on (SSO) and uses security tokens as a means of communicating between an identity provider (end-user) and a server.

 SCEP (Simple Certificate Enrollment Protocol)

the SCEP protocol was designed by Cisco as a means of obtaining certificates for its routers to be used with IPSec communication – it has since been more widely used as a means of issuing certificates to mobile devices; a SCEP transaction consists of a device generating a public/private key pair, sending that key pair to the SCEP server (which is an RA), the SCEP server sending the request to an issuing CA, the certificate being granted and passed back to the SCEP server, and the SCEP server responding with an issued certificate; the SCEP protocol provides no means of user authentication – instead challenge tokens are used that are embedded in the body of the SCEP request (which is encrypted); best practice dictates that SCEP communication between the device and SCEP server should always be over unencrypted port 80, not port 443; the only mobile platform to currently support SCEP-based certificate enrollment is iOS, which can use SCEP certificate for authentication to WiFi networks, VPNs, and SSL client-certificate-protected websites (but not Exchange ActiveSync); AirWatch supports the Microsoft implementation of SCEP (called NDES) in both Windows Server 2003 and Windows Server 2008 – support for the VeriSign cloud-based managed PKI service is currently under development, as well as SCEP proxy functionality whereby the AirWatch server acts as a SCEP client and then passes the newly generated certificate to the device embedded in a profile.


System Center Configuration Manager (SCCM), is a systems management software product by Microsoft for managing large groups of Windows based computer systems. AirWatch will be able to integrate with this system in the future. 


 A set of development tools that allows for the creation of applications for software packages

SSL/TLS: Secure Socket Layer/ Transport Layer Security

 SSL is a means for secure communication over a network; a server presents its certificate to a client, which may verify the certificate; if client certificates are used, the client must then present its certificate to the server for validation; this is how certificate-based authentication to Exchange ActiveSync works

Self-Signed Certificate

 A certificate signed by the device/person that created it, and not by a 3rd party trusted CA; these certificates will not be trusted by any server that has not specifically chosen to trust that specific certificate.

Server certificate

A certificate presented by a server to a client; server certificates are typically granted to a specific DNS name; clients then validate that the server is presenting a certificate with a DNS name matching the one at which the client contacted the server.


Short Message Peer to Peer (SMPP) protocol is a telecommunications industry protocol for exchanging SMS messages between SMS peer entities such as SMSC and /or External Short Messaging Entities. 


Short Message Service Center (SMSC), is a network element in the mobile telephone network which delivers SMS messages. 


Is a standard for computer data logging and reporting. AirWatch can export event log data to any systems that support the SysLog protocol.  


A mobile OS used by Nokia phones.

TS – (Tunnel Server)

The Tunnel Server enables direct, ongoing connection with active mobile devices. It is one of the services running in the AirWatch architecture.

Tunnel (network connection)

A tunnel is a point-to-point connection that makes abstraction of the underlying network hops, and enables direct access between both ends.

Two-Factor Authentication

This may also be referred to as “something you have, and something you know”; the something you know is a traditional password; the something you have is a certificate or time-based token; two-factor authentication is becoming more common as companies increase the security of their mobile device deployments.

UC (Unified Communications) Certificate

An SSL certificate for which additional hostnames (domain names) are added as subject alternative names. Normally, the subject name of the certificate is where the domain name is found, but on UC certificates, the list of names in "subject alternative name" may be the one containing the name you/your client need certified.

 VPN- (Virtual Private Network)

 A mechanism for providing secure, reliable transport over Internet[1].The VPN uses authentication to deny access to unauthorized users, and encryption to prevent unauthorized users from reading the private network packets.

WAP (WAP: Wireless Application Protocol)

An open international standard. A WAP browser is a commonly used web browser for small mobile devices such as cell phones.

Web Clip

An iOS web browser shortcut displayed in the home screen (the android equivalent is called a bookmark).

Windows Mobile

A Microsoft mobile OS.

Windows Phone 7

A Microsoft mobile OS that is the successor to Windows Mobile.

WLAN – (Wireless Local Area Network)

A wireless network reaching users on the scale of a building. It includes Wi-Fi, but not Bluetooth (WPAN) nor Wi-Max (WMAN)

WWAN – (Wireless Wide Area Network)

A family of wide-range wireless networks of the city or country scale: it includes Wi-Max (also a WMAN), UMTS, GPRS, CDMA2000, GSM, HSDPA and 3G.

WMAN (Wireless Metropolitan Area Network)

A wireless network available to users on a town or city scale.

WPAN – (Wireless Personal Area Network)

A wireless network providing user connectivity to his immediate surroundings (eg: Bluetooth).

 X.509 Certificate

 Also referred to simply as a certificate since X.509 is the most common format, a container for a public/private key pair that has been signed by a certificate authority that guarantees the key pair is owned by the subject stated in the certificate metadata; the key pair is signed cryptographically by the CA such that no modifications can be made to the certificate by a 3rd party without detection.


A format used by Windows for certificates containing both a public and a private key; the file is always password protected.


A format used by Windows for certificates containing only a public key; these files are not password protected since they do not contain sensitive information (only the private key is sensitive).

Have more questions? Submit a request


Article is closed for comments.