Credentials device policy

Credentials device policies point to a PKI configured in Endpoint Management. For example, your PKI configuration might include a PKI entity, a keystore, a credential provider, or a server certificate. For more information about credentials, see Certificates and authentication.

Each supported platform requires a different set of values, which are described in this article.

Note:

Before you can create this policy, you need the credential information you plan to use for each platform, plus any certificates and passwords.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

iOS and tvOS settings

Device Policies configuration screen

Configure the following settings:

  • Credential type: In the list, click the type of credential to use with this policy and then enter the following information for the selected credential:
    • Certificate
      • Credential name: Enter a unique name for the credential.
      • The credential file path: Select the credential file by clicking Browse and navigating to the file’s location.
    • Keystore
      • Credential name: Enter a unique name for the credential.
      • The credential file path: Select the credential file by clicking Browse and navigating to the file’s location.
      • Password: Enter the keystore password for the credential.
    • Server certificate
      • Server certificate: In the list, click the certificate to use.
    • Credential provider
      • Credential provider: In the list, click the name of the credential provider.
  • Policy settings
    • Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
      • Select date: Click the calendar to select the specific date for removal.
      • Duration until removal (in hours): Type a number, in hours, until policy removal occurs.
    • Allow user to remove policy: You can select when users can remove the policy from their device. Select Always, Passcode required, or Never from the menu. If you select Passcode required, type a passcode in the Removal passcode field. Not available for iOS.

macOS settings

Device Policies configuration screen

Configure the following settings:

  • Credential type: In the list, click the type of credential to use with this policy and then enter the following information for the selected credential:
    • Certificate
      • Credential name: Enter a unique name for the credential.
      • The credential file path: Select the credential file by clicking Browse and navigating to the file’s location.
    • Keystore
      • Credential name: Enter a unique name for the credential.
      • The credential file path: Select the credential file by clicking Browse and navigating to the file’s location.
      • Password: Enter the keystore password for the credential.
    • Server certificate
      • Server certificate: In the list, click the certificate to use.
    • Credential provider
      • Credential provider: In the list, click the name of the credential provider.
  • Policy settings
    • Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
      • Select date: Click the calendar to select the specific date for removal.
      • Duration until removal (in hours): Type a number, in hours, until policy removal occurs.
    • Allow user to remove policy: You can select when users can remove the policy from their device. Select Always, Passcode required, or Never from the menu. If you select Passcode required, type a passcode in the Removal passcode field.
    • Profile scope: Select whether this policy applies to a User or an entire System. The default is User. This option is available only on macOS 10.7 and later.

Android settings

Credentials policy configuration screen

Configure the following settings:

  • Credential type: In the list, click the type of credential to use with this policy and then, enter the following information for the selected credential:
    • Certificate
      • Credential name: Type a unique name for the credential.
      • The credential file path: Select the credential file by clicking Browse and then navigating to the file’s location.
    • Keystore
      • Credential name: Type a unique name for the credential.
      • The credential file path: Select the credential file by clicking Browse and then navigating to the file location.
      • Password: Type the keystore password for the credential.
    • Server certificate
      • Server certificate: In the list, click the certificate to use.
    • Credential provider
      • Credential provider: In the list, click the name of the credential provider.

Android Enterprise settings

Credentials policy configuration screen

Configure these settings to determine how credentials settings are applied:

  • Apply to COPE. Allows you to configure credentials policy settings for fully managed devices with work profiles. These devices are also known as COPE (corporate owned personally enabled) devices. When this setting is On, select one of these settings:
    • Work profile. The credentials settings you configure apply only to the work profile on the device.
    • Managed device. The credentials settings you configure apply only to the device.
    • Both. The credentials settings you configure apply to the work profile and the device.

    When this setting is Off, the credentials settings you configure apply only to the device. Default is Off.

Configure the credential settings:

  • Credential type: In the list, click the type of credential to use with this policy and then enter the following information for the selected credential:
    • Certificate
      • Credential name: Type a unique name for the credential.
      • The credential file path: Select the credential file by clicking Browse and then navigating to the file location.
    • Keystore
      • Credential name: Type a unique name for the credential.
      • The credential file path: Select the credential file by clicking Browse and then navigating to the file location.
      • Password: Type the keystore password for the credential.
    • Server certificate
      • Server certificate: In the list, click the certificate to use.
    • Credential provider
      • Credential provider: In the list, click the name of the credential provider.
      • Apps to use certificates: To specify apps that have silent access to the credentials from this provider: Click Add, select an app, and click Save.
  • Credential Alias. Use the credential alias with the Android Enterprise Managed Configuration device policy to make it easier for the app to access the certificate. Find the credential alias in the Android Enterprise Managed Configuration device policy for the app. Type the credential alias in the Credential Alias field in the Credentials device policy. When the same certificate alias is configured in the two policies, the app retrieves the certificate and authenticates the VPN without any action by users.

Windows Desktop/Tablet settings

Device Policies configuration screen

  • Certificate Type: In the list, click either ROOT or CLIENT.
  • If you click ROOT, configure these settings:
    • Store device: In the list, click root, My, or CA for the location of the certificate store for the credential. My stores the certificate in users’ certificate stores.
    • Location: For Windows 10 tablets, System is the only location.
    • Credential type: For Windows 10 tablets, Certificate is the only credential type.
    • Credential file path: Select the certificate file by clicking Browse and navigating to the file’s location.
  • If you click CLIENT, configure these settings:
  • Location: For Windows 10 tablets, System is the only location.
  • Credential type: For Windows 10 tablets, Keystore is the only credential type.
  • Credential name: Type the name of the credential. This field is required.
  • Credential file path: Select the certificate file by clicking Browse and navigating to the file’s location.
  • Password: Type the password associated with the credential. This field is required.

Windows Phone settings

Device Policies configuration screen

  • Certificate Type: In the list, click either ROOT or CLIENT.
  • If you click ROOT, configure these settings:
    • Store device: In the list, click root, My, or CA for the location of the certificate store for the credential. My stores the certificate in users’ certificate stores.
    • Location: The System value is the only location for Windows phones.
    • Credential type: Certificate is the only credential type for Windows phones.
    • Credential file path: Select the certificate file by clicking Browse and navigating to the file’s location.
  • If you click CLIENT, configure these settings:
    • Location: For Windows phones, System is the only location.
    • Credential type: For Windows phones, Keystore is the only credential type.
    • Credential name: Type the name of the credential. This field is required.
    • Credential file path: Select the certificate file by clicking Browse and navigating to the file’s location.
    • Password: Type the password associated with the credential. This field is required.

Workspace Hub settings

Device Policies configuration screen

  • The credential file path: Browse for the CA certificate file or .zip file containing the certificates to upload. This policy supports .cer, .crt, .pem, and .der certificate files.