Configuring Blue Coat Mobile Device Security service integration

Ivanti EPMM supports integration with the Blue Coat Mobile Device Security (MDS) service. This integration allows you to manage your iOS devices’ traffic to the Internet, by directing all the traffic to the Blue Coat MDS service first. The service can then, for example, stop access to specific web sites based on corporate security rules that you set up on a Blue Coat site. The Blue Coat MDS service also provides traffic analytics. This integration is supported only with iOS devices.

Overview of how to set up Ivanti EPMM integration with the Blue Coat MDS service

To set up Ivanti EPMM to integrate with Blue Coat MDS, do the following high-level steps:

1. Work with Blue Coat to set up Ivanti EPMM as your Unified Endpoint Management (UEM) vendor on the Blue Coat MDS service.
2. Get a Blue Coat customer ID from Blue Coat.
3. Get the certificate that Ivanti EPMM uses to authenticate to the Blue Coat MDS service so that Ivanti EPMM can interact with the service. An example of such an interaction is when Ivanti EPMM informs the MDS service about what iOS devices are registered.
4. Set up a Blue Coat certificate enrollment setting.
5. This setting contains the information necessary for Ivanti EPMM to request the Blue Coat MDS service for an identity certificate for a device. This certificate authenticates the device to the Blue Coat MDS service when the device’s traffic is directed to the MDS service.
6. For details, see Configuring the Blue Coat certificate enrollment setting.
7. Set up a IPsec (Blue Coat) VPN setting on Ivanti EPMM.
8. This always-on VPN is how all device traffic is always directed first to the Blue Coat MDS service.
9. For details, see Configuring the IPsec (Blue Coat) VPN setting.

Limitations when integrating with the Blue Coat MDS service

Because all device traffic is directed to the Blue Coat MDS service using an always-on VPN:

• You cannot use any other VPNs on the device.
• You cannot use Tunnel (AppTunnel with TCP tunneling) on the device because it uses a VPN.

Using AppTunnel with HTTP/S tunneling with AppConnect apps on the device is compatible with using the Blue Coat MDS service.

Configuring the Blue Coat certificate enrollment setting

Before you begin:

• Set up Ivanti EPMM as your Unified Endpoint Management (UEM) vendor on the Blue Coat MDS service.
• Get your Blue Coat customer ID.
• Get the certificate and certificate password that Ivanti EPMM uses to authenticate to the Blue Coat MDS service.

Procedure 

1. Go to Policies & Configs > Configurations and select Add New > Certificate Enrollment > Blue Coat.

2. In the New Blue Coat Certificate Enrollment Setting dialog box, use the following guidelines to specify the settings.

   Item	Description
   Name	Enter brief text that identifies this certificate enrollment setting.
   Description	Enter additional text that clarifies the purpose of this certificate enrollment setting.
   Store keys on Ivanti EPMM	Specifies whether Ivanti EPMM stores the private key sent to each device. When storing keys is enabled, private keys are encrypted and stored on the local Ivanti EPMM. If you select this option after devices have been provisioned, certificates will be re-provisioned for all impacted devices.
   Blue Coat Customer ID / MDM Identifier	Specifies your Blue Coat customer ID. The customer ID is also known to Blue Coat as the MDM Identifier.
   API URL	Specifies the URL that Ivanti EPMM uses to interact with the Blue Coat MDS service. This field is set to: https://mobility.threatpulse.com:9443 Typically, you do not change this field unless you are working with Blue Coat in a special test environment.
   Certificate 1	Upload the certificate that Ivanti EPMM uses to authenticate to the Blue Coat MDS service. This certificate is available from Ivanti.
   Password 1 (Optional)	Enter the password for the certificate. This password is available from Ivanti. Although you can select Add Certificate to add additional certificates and their corresponding passwords, no reason currently exists to do so.
   Device Name	Optionally enter an Ivanti EPMM substitution variable that identifies the device. This device name is used by the Blue Coat MDS service. The device name allows you to differentiate multiple devices belonging to one use on Blue Coat MDS reports.
   User ID	Enter the email address for the user. Blue Coat requires that the User ID is the user’s email address. Typically, you use the Ivanti EPMM substitution variable $EMAIL$.

3. (Optional) Select Issue Test Certificate to verify the configuration by generating a test certificate to ensure there are no errors. The Issue Test Certificate dialog box opens.

   Although this step is optional, it is recommended. A real certificate is not generated.

4. Enter a user’s email address that Blue Coat can validate.
5. Select OK.

6. Select Save.

   If values that you enter in fields result in errors, you cannot save the configuration. If values that you enter result in warnings, you can save the configuration after confirming the warning messages. To see configuration errors, go to Services > Overview.

Configuring the IPsec (Blue Coat) VPN setting

Before you begin: Configure the Blue Coat certificate enrollment setting.

Procedure 

1. Go to Policies & Configs > Configurations and select Add New > VPN.

2. Use the following guidelines to specify the settings.

   Item	Description
   Name	Enter brief text that identifies this VPN setting.
   Description	Enter additional text that clarifies the purpose of this VPN setting.
   Connection Type	Select IPsec (Blue Coat).
   Identity Certificate	Select a Blue Coat certificate enrollment setting from the drop-down list.

3. Select Save.
4. Select the VPN setting that you just created.
5. Select Actions > Apply To Label.
6. Select the appropriate labels.
7. Select Apply.

Revoking the certificate

You can revoke a Blue Coat certificate.

Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). The certificate is also removed from the Blue Coat service. When a device authenticates with Ivanti EPMM, the system first checks the CRL to verify that the certificate is not on the list. If the certificate is on the list, authentication fails.

Procedure 

1. Navigate to Logs > Certificate Management.
2. Select the certificate that you want to revoke.
3. Select Actions > Revoke.