Configuring a client-provided certificate enrollment setting
This section covers client-provided certificate enrollment settings.
Client-provided certificate enrollment settings are applicable only to iOS and Android devices.
Overview of client-provided certificate enrollment settings
Derived credentials are identity certificates derived from the certificates on a smart card. The derived credentials are stored on the device in Ivanti Mobile@Work on iOS devices, and in Secure Apps Manager on Android devices. AppConnect apps on mobile devices can use derived credentials for these purposes:
- Authentication to backend servers, such as email servers, web servers, or app servers
- Digital signing
- Encryption
- Decryption of older emails for which the original encryption certificate has expired (iOS only)
- Authenticating the user to Standalone Sentry when using AppTunnel with Kerberos authentication to the backend server
You create a client-provided certificate enrollment setting when you want an AppConnect app to use derived credentials for one of these purposes. You then refer to the client-provided certificate enrollment in the appropriate setting.
The certificate enrollment setting is called client-provided because Ivanti Mobile@Work for iOS or Secure Apps Manager for Android, known as client apps, provide the identity certificate to the AppConnect app.
Only the following settings can refer to a client-provided certificate enrollment setting:
-
AppConnect app configuration
It can refer to a client-provided certificate enrollment setting in:
- The value in a key-value pair in its App-specific Configurations section.
- The identity certificate in its AppTunnel Rules section.
-
Ivanti Web@Work setting
It can refer to a client-provided certificate enrollment setting in:
- the value in a key-value pair in its Custom Configurations section
- the identity certificate in its AppTunnel Rules section
-
Ivanti Docs@Work setting
It can refer to a client-provided certificate enrollment setting in:
- the value in a key-value pair in its Custom Configurations section
- the identity certificate in its AppTunnel Rules section
Make sure the version of Ivanti Mobile@Work for iOS or the Secure Apps Manager for Android on the device supports client-provided certificate enrollment settings as shown in the following table:
Reference to the client-provided certificate enrollment setting |
iOS:
Ivanti Mobile@Work prior to 8.5 |
iOS:
Ivanti Mobile@Work 8.5 and 8.6 |
iOS:
Ivanti Mobile@Work 9.0 or supported newer versions |
Android:
All versions of Secure Apps Manager supported or compatible with Ivanti EPMM |
In key-value pairs |
Not supported |
Supported |
Supported |
Supported |
In AppTunnel rules |
Not supported |
Not supported |
Supported |
Not supported |
- Ivanti Derived Credentials Guide for EPMM
-
PIV-D Manager for iOS Release Notes
-
PIV-D Manager for Android Release Notes
Specifying a client-provided certificate enrollment setting
To specify a client-provided certificate enrollment setting:
- Go to Policies & Configs > Configurations.
- Select Add New > Certificate Enrollment > Client-Provided.
- In the New Client-Provided Certificate Enrollment Setting dialog box, use the following guidelines to specify your settings.
Item
Description
Name
Enter brief text that identifies this certificate enrollment setting.
Description
Enter additional text that clarifies the purpose of this certificate enrollment setting.
Select purpose
Select one of the following, depending on the intended use of the client-provided identity certificate:
•Authentication
•Decryption
•Encryption
•Signing
Provider
Select the derived credential provider.
- Click Save.