Good points mentioned already so i'll just add a few things..
1. Security.
a) AD username/password isn't stored locally on the device...
b) IT-dept often has to avoid locking an account due to wrong password since users often ignore the "enter passord" on their mobile devices, thus locking their accounts. With Certificates the normal security process can be kept.
c) Enforce certificate auth for devices that need that extra level of access. We see that tablets and bigger mobile devices require more access - with Onboard you can enforce some more device security (like pincode) for this.
It is for sure a burden on the user, but it's really not a big deal. We have customers who have lots of IT-ignorant users still being able to go through onboarding process. Just involve some users in your user-testing/documentation to ensure that you do it in a way your company can handle. When "beta"-testing - adjust the default expiration and alerts to something low enough so they get the expiration warning and see how that goes.
2. The profile and certificate is stored locally on the device. After a wipe the user have to go through the Onboarding process. Make sure your process is water-tight ;)
3. Look at nr 1. If you don't have a problem with user/password security, IT-dept getting clogged with password problems each month and such then Onboard might not be for you.