Supported certificate scenarios

Ivanti EPMM supports the following certificate scenarios:

Ivanti EPMM as a certificate authority

You can configure Ivanti EPMM as a local certificate authority (CA) for the following scenarios:

  • Ivanti EPMM as an Independent Root CA (self-signed)—Configure Ivanti EPMM as an independent root certificate authority if you are using a self-signed certificate. Use this option if your company does not have its own certificate authority and you are using Ivanti EPMM as the certificate authority.
  • Ivanti EPMM as an Intermediate CA—Use this option when your company already has its own certificate authority. Using Ivanti EPMM as an Intermediate CA gives your mobile device users the advantage of being able to authenticate to servers within your company intranet.

Using Ivanti EPMM as a certificate proxy

Ivanti EPMM can act as a proxy to a 3rd party CA by using APIs exposed by the 3rd party CA or the SCEP protocol to obtain certificates required by a Certificate Enrollment. This enables you to configure certificate-based authentication for devices.

Using Ivanti EPMM as a certificate proxy has the following benefits:

  • Certificate verifies Exchange ActiveSync, Wi-Fi and/or VPN connections, eliminating the need for passwords that are complex to manage
  • Ivanti EPMM can manage certificates by checking status against a CA's CRL, deactivating revoked certificates and requesting replacement when certificates are about to expire
  • Ivanti EPMM can detect and address certificate renewal and ensure that devices cannot reconnect to enterprise resources if they are out of compliance with company policies.
  • Simplified enrollment with the following:
    • MS Certificate Enrollment
    • Entrust
    • Local CA
    • Symantec Managed PKI
    • User provided certificates
    • Open Trust
    • Symantec Web Services Managed PKI

The following applications are supported.

  • ActiveSync is supported with Ivanti Email+ and the iOS native mail client.
  • VPN is supported on and on iOS with IPSec, Cisco AnyConnect, and JunOS Pulse .
  • Wi-Fi.

The following certificates are supported for iOS devices:

  • Microsoft NDES Certificate Enrollment
  • Entrust
  • Local CA
  • User provided certificates
  • Open Trust
  • Client-Provided certificates
  • Client-provided certificates using the native SCEP client on iOS

For information about how to create certificate enrollment settings in Ivanti EPMM, see Certificate Enrollment settings.