https inspection - decrypt and scan using public cert?

Question

We're currently using https inspection but for URL filtering only. We want to move it up a notch and use decrypt and scan. 
 I understand the concept with trusting the root CA for the UTM if this was a private cert and the need to install/trust the root CA on each device which can be a fair amount of work to get through if looking at hundreds of clients. Even if in a windows domain where the trust could be deployed via a GPO etc, it can still be troublesome eg android devices etc. 
 So the question is..... is all this trouble and effort avoided by purchasing a certificated from a trusted root authority eg Digicert etc? And would a wildcard suffice for this?

David Birdsall · Answer

Louis, 
 In HTTPS Decrypt and Scan, the UTM is conducting a man-in-the-middle attack. There should be no way to get around this by using another certificate. If there is, then what's the point of having the UTM or activating HTTPS scanning? The only way one would bypass HTTPS scanning is to go out through another protocol on another port or bypass UTM altogether and go out through another route. 
 Unless you have an MDM ( Sophos Mobile , VMWare AirWatch, ManageEngine, etc) that can mass-deploy certificates to all your various Android devices, I don't know of any other way update a group of Android devices at once. Some MDMs can mass-deploy certificates and security settings to computers and other devices as well, giving you an all-in-one deployment platform.