Configuration Profile Encryption

I'm trying to figure out how to encrypt a configuration profile sent from an MDM.

There is a certificate sent to the MDM during the call to get configuration, is this what I need to be using to encrypt?

and does this certificate use the UID mentioned in the below quote?

"The Secure Enclave includes a unique ID (UID) root cryptographic key. The UID is unique to each individual device and isn’t related to any other identifier on the device."

Configuration Profile Encryption
 
 
Q