Skip to main content
Skip table of contents

Enroll on behalf of in WinEP

This article is valid for CM 8.5 and later.

This article describes Enroll on behalf of (EOBO) in Nexus Windows Enrollment Proxy - WinEP.

  • To activate support for Enroll on behalf of (EOBO) you must create an enrollment agent softtoken (P12) containing the extended key usage Certificate Request Agent.
  • The created enrollment agent softtoken must be made available to the enrollment agent performing the enrollment request.
  • The enrollment agent certificate(s) must be configured for each handler in in the Protocol Gateway instance that WinEP is connected to.
  • For each Protocol Gateway handler that should support EOBO, the configuration parameter handler.x.enrollmentAgent.certs.x is required. See "Example configuration EOBO".


Restrict enrollment agent

You can restrict the enrollment agent to only be able to issue certificates for target users that are a part of or not a part of specific groups.

  • Use the configuration parameters enrollmentAgent.allowedGroups and enrollmentAgent.blockedGroups in the Protocol Gateway file. See "Example configuration EOBO".
Example configuration EOBO

This is an example configuration for EOBO on the User template in

Example: Configure Enroll on behalf of

handler.0.filter = User
handler.0.format = winep-user
handler.0.tokenprocedure = WinEP Token Procedure
handler.0.enrollmentAgent.certs.1 = winep-enrollment-agent.cer
handler.0.enrollmentAgent.allowedGroups = Employee, Managers
handler.0.enrollmentAgent.blockedGroups = Administrators, IT
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.