Supported certificate scenarios

Ivanti EPMM supports the following certificate scenarios:

• Ivanti EPMM as a certificate authority
• Using Ivanti EPMM as a certificate proxy
• Supported certificate scenarios

Ivanti EPMM as a certificate authority

You can configure Ivanti EPMM as a local certificate authority (CA) for the following scenarios:

• Ivanti EPMM as an Independent Root CA (self-signed)—Configure Ivanti EPMM as an independent root certificate authority if you are using a self-signed certificate. Use this option if your company does not have its own certificate authority and you are using Ivanti EPMM as the certificate authority.
• Ivanti EPMM as an Intermediate CA—Use this option when your company already has its own certificate authority. Using Ivanti EPMM as an Intermediate CA gives your mobile device users the advantage of being able to authenticate to servers within your company intranet.

Using Ivanti EPMM as a certificate proxy

Ivanti EPMM can act as a proxy to a 3rd party CA by using APIs exposed by the 3rd party CA or the SCEP protocol to obtain certificates required by a Certificate Enrollment. This enables you to configure certificate-based authentication for devices.

Using Ivanti EPMM as a certificate proxy has the following benefits:

• Certificate verifies Exchange ActiveSync, Wi-Fi and/or VPN connections, eliminating the need for passwords that are complex to manage
• Ivanti EPMM can manage certificates by checking status against a CA's CRL, deactivating revoked certificates and requesting replacement when certificates are about to expire
• Ivanti EPMM can detect and address certificate renewal and ensure that devices cannot reconnect to enterprise resources if they are out of compliance with company policies.
• Simplified enrollment with the following:
  • MS Certificate Enrollment
  • Entrust
  • Local CA
  • Symantec Managed PKI
  • User provided certificates
  • Open Trust
  • Symantec Web Services Managed PKI

The following applications are supported.

• ActiveSync is supported with Ivanti Email+ and TouchDown
• VPN is supported on Android with Cisco AnyConnect .
• Wi-Fi.

The following certificates are supported for Android devices:

• Microsoft NDES Certificate Enrollment
• Entrust
• Local CA
• Symantec Managed PKI
• User provided certificates
• Open Trust
• Symantec Web Services Managed PKI
• Client-Provided certificates

For information about how to create certificate enrollment settings in Ivanti EPMM, see Certificate Enrollment settings.

Kerberos constrained delegation

You can use Kerberos constrained delegation (KCD) for authenticating the device to the ActiveSync server, the app server, and to Sentry.

For detailed information about how to configure Ivanti EPMM to use Kerberos authentication, see, “Device and server authentication support for Standalone Sentry” in the Ivanti Standalone Sentry Guide for EPMM.