implement cert based auth for ActiveSync and Gmail app, if is Outlook app you will require to do SAML/SSO and use per app VPN tunneling to achieve which uses cert based auth as underlying pre-authentication mechanism so user is never asked to enter password after device registration into UEM platform
Really depends on the specific use case. For instance, with Workspace ONE you can often use the built-in CA for stuff like VPN or email gateway. I recently had a customer with some open source Linux SCEP box. Despite how much I dislike SCEP - it worked (after they made their root CA cert compliant with new Apple requirements).
Question is, what causes this password reset requests, and what are the applications for which the passwords must be reset?
If you have an AD with kerberos based services you can take a look at Hypergate and/or the built in iOS Kerberos client. Hypergate offers SSO and Self Service password reset without any additional back-end (other than the AD ), but comes at a cost. The built in Kerberos client for Apple only offers SSO but is included on iOS devices. For Android on the other hand if you go down this route Hypergate will be the only option since there is no built in Kerberos Client on Android enterprise.