Device Identity Using Certificates Installed by a Device Manager

Configure Cloud Secure Edge to trust device certificates managed by your organization's Device Manager

  • Last validated: Jul 16, 2026

Overview

Many organizations deploy device certificates to all managed devices using an enterprise Certificate Authority (CA), such as Symantec. You can configure Cloud Secure Edge (CSE) to trust Device Certificates issued by your enterprise CA and distributed by your organization’s Device Manager. This guide implements the Device Manager Integrated clientless scenario described in Connection Methods.

Setup

  1. Gather the full certificate chain of the Root CA used to sign device certificates.

  2. Get the format used for the CN field of the Device Cert.

  3. In the Command Center, navigate to Settings > CSE Client tab > Device Manager tab.

  4. Set Device Manager Name to Device Cert Only, and then enter the Cert - Root CA (from step 1) and the Cert - Common Name (step 2).

  5. Select Update Device Cert.

These certificate values can be also be obtained from a managed device.

Cert Fields in Settings


What’s next

Cloud Secure Edge (CSE) TrustProvider now trusts device certificates managed by your organization’s Device Manager. To complete the clientless flow:

  1. Distribute the device certificates with your Device Manager — see Part B of Workspace ONE UEM - Device Identity & Enhanced Trust Scoring for a worked example.
  2. Publish the internal web app as a Hosted Website.
  3. Restrict it to known devices with a registered-devices role and policy per Managed, Registered, and Unregistered Devices.
Was this page helpful?