AirWatch SCEP Proxy and Translation

SCEP Proxy


If your SCEP endpoint is not externally accessible to devices, AirWatch Device Services can act as the SCEP endpoint and forward SCEP traffic to the internal only SCEP server. AirWatch will not parse the request from the device or require access to the SCEP server’s private key, which improves security and provides flexible options for existing certificate infrastructure.

Supported Device Platforms

  • iOS
  • Windows Phone 8.1
  • SCEP with NDES
  • Generic SCEP
  • Entrust SCEP

Supported Certificate Authorities

High Level Design


AirWatch Configuration

Step 1: CA Configuration

-          Ensure that the Enable Proxy check box is checked.

-          If ACC will be included, AirWatch SCEP Proxy should be checked by default.


Step 2: Profile Configuration

-          Configure a SCEP payload.


SCEP Translation


With SCEP translation enabled, AirWatch Device Services behaves as a SCEP endpoint for the device while communicating the native protocol of the CA configured with AirWatch. It also forces the public-private key pair generation to be done on the device instead of through AirWatch, which improves security and CA performance. 

Supported Device Platforms

  • iOS only
  • Microsoft ADCS
  • Symantec – non escrowed profiles only

Supported Certificate Authorities


High Level Design



Have more questions? Submit a request


Article is closed for comments.