Certificates overview

Ivanti EPMM is capable of distributing and managing certificates. Certificates are mainly used for the following purposes:

  • Establishing secure communications
  • Encrypting payloads
  • Authenticating users and devices

Certificates establish user identity while eliminating the need for users to enter user names and passwords on their mobile devices. Certificates streamline authentication to key enterprise resources, such as email, Wi-Fi, and VPN. Some applications require the use of certificates for authentication.

Ivanti recommends to allow HTTPS traffic on port 8443 from the corporate network, limited to Ivanti applications only. This service is intended for EPMM server management and must have strictly controlled access.

The following diagram compares a certificate to a passport:

Figure 1. Comparing certificates to a passport

The certificate includes information that identifies the following information:

  • The issuing certificate authority
  • Acceptable uses for the certificate
  • Information that enables the certificate to be validated.

This solution provides the flexibility to use Ivanti EPMM as a local certificate authority, an intermediate certificate authority, or as a proxy for a trusted certificate authority.

Types of certificates

Ivanti EPMM uses the following types of certificates:

Table 79.  Certificate types

Certificate type

Description

Portal HTTPS

The identify certificate and its certificate chain, including the private key, that identifies Ivanti EPMM, allowing a client (such as a browser or app) to trust Ivanti EPMM. Typically, this certificate is the same certificate as the Client TLS and iOS Enrollment certificates.

Ivanti EPMM sends this certificate to the client as part of the TLS handshake over port 443 or 8443 when the client initiates a request to Ivanti EPMM.

This certificate must be a publicly trusted certificate from a well-known Certificate Authority if you are using mutual authentication.

“Certificates you configure on the System Manager” in the Ivanti EPMM System Manager Guide.

Client TLS

The identify certificate and its certificate chain, including the private key, that identifies Ivanti EPMM, allowing Ivanti Mobile@Work for iOS and Android to trust Ivanti EPMM. Typically, this certificate is the same certificate as the Portal HTTPS and iOS Enrollment certificates.

Ivanti EPMM sends this certificate to Ivanti Mobile@Work for iOS or Android as part of the TLS handshake over port 9997 when Ivanti Mobile@Work initiates a request to Ivanti EPMM.

“Certificates you configure on the System Manager” in the Ivanti EPMM System Manager Guide.

Ivanti EPMM server SSL

Can be either self-signed or third-party certificates. By default, Ivanti EPMM generates self-signed certificates. You can use trusted certificates from third-party certificate providers such as Verisign, Thawte, or Go Daddy. Kerberos and Entrust certificates are also supported.

Sentry server SSL

Identifies the Sentry to the client and secures communication, over port 443, between devices and the Sentry.

Client identity

Verifies the identity of users and devices and can be distributed through Certificate Enrollment.

Enrollment specific identification

Prior to setting up enrollment, it is important to decide whether a unique ID will be used for devices. This feature is part of the work profile enrollment of your organization and provides a unique ID that is guaranteed to be the same value for the same device, enrolled into the same organization by the same managing app. It will remain stable across factory resets or new profile inflation.

  • ENROLLMENT_ID key is saved in the mi_device_detail table.

    • Enrollment ID is visible under device details page.

  • Devices can be filtered using Enrollment id.

The enrollment-specific ID is reported and presented in device details page for new installs and post upgrade to Android 12. If a device is factory reset, and re-enrolled to the same Ivanti EPMM instance, the re-enrolled device shall REPLACE the previous device based on the Enrollment ID. A new unique ID is presented when the device registers to a new tenant.

Access to other hardware identifiers of the device such as IMEI, MEID, or serial number, is removed for personal devices with a work profile in Android 12.

This identifier is effective for new installs and post-upgrade to Android 12. Following are the supported modes:

  • Work Profile

  • Work Managed Device

  • Work Profile on Company Owned Device

Please note that the ID will change when the same device is enrolled to the same tenant but uses a different managing package; a new unique ID is presented when the device registers to a new Ivanti EPMM instance.

Samsung Knox devices and certificates managed by Ivanti EPMM

Certificates managed by Ivanti EPMM are automatically removed from a Samsung Knox device when the device is retired, or when the label that applied the certificate to the device is removed from the certificate.