An important notion is the delivery mode of certificates. The delivery is independent of the issuance, although it only applies when the issuing mode is newly issued [sign], not recovered [fetch] from the PKI).
Two modes of certificate delivery are available: centralized and distributed. Distributed mode uses the SCEP protocol and is only available in situations where the client supports the protocol, and is even mandatory in some situations.
For a Credential Provider to support distributed (SCEP-assisted) delivery, a special configuration step is necessary: setting up Registration Authority (RA) certificates. Those are required because when using the SCEP protocol, XenMobile acts like a delegate (a registrar) to the actual CA, and must prove to the client that it has the authority to act as such. That authority is established by providing XenMobile with the aforementioned certificates.
To configure the Credential Provider’s RA certificates, you must first upload them to the Server Certificates repository, and then link to them in the Credential Provider.
A Credential Provider is considered to support distributed delivery if, and only if, it has a certificate configured for each of the aforementioned roles. Each Credential Provider can be configured to either prefer centralized mode, to prefer distributed mode, or to require distributed mode. The actual result will depend on the context: if the context does not support distributed mode, but the Credential Provider requires it, deployment will fail. Likewise, if the context mandates distributed mode, but the Credential Provider does not support it, deployment will fail. In all other cases, the preferred setting will be honored.
|Context||SCEP supported||SCEP required|
|iOS Profile Service||yes||yes|
|iOS MDM enrollment||yes||no|
|iOS configuration profiles||yes||no|
|Windows Phone enrollment||no||no|
|Windows Phone configuration||no||no|