Certificate Enrollment settings

Identity certificates can be distributed via Apps@Work.

Certificate enrollment settings are used as follows:

  • As part of a larger process of setting up a certificate enrollment server to support authentication for VPN on demand, Wi-Fi, Exchange ActiveSync, AppTunnel and so on.
  • To provide devices identity certificates that you uploaded to Ivanti EPMM for the case when you want to provide the same identity certificate to many users’ devices.
  • To provide user-provided certificates to devices when end users use the Ivanti EPMM user portal to upload their identity certificates to Ivanti EPMM.

The available options are:

  • Blue Coat: Use to create a Blue Coat certificate enrollment setting for integrating with the Blue Coat Mobile Device Security service.
  • Client-Provided: Use if you want AppConnect apps to use derived credentials for authentication, digital signing, or encryption.
  • Entrust: Use if you are using the Entrust Datacard certificate enrollment solution.
  • GlobalSign: Use if you are using GlobalSign as the CA for certificate enrollment.
  • Local: Use if you are using Ivanti EPMM as the CA.
  • OpenTrust: Use if you are using the OpenTrust integration. See Configuring OpenTrust CA.
  • Single File Identity: Use to upload an identity certificate for distribution to devices.

  • SCEP: Use for standard certificate-based authentication using a separate CA.

    SCEP Configurations created before upgrading to Ivanti EPMM 7.0.0.0 or later should be replaced with a new SCEP Configuration. Failure to do so might result in cert renewal failure from Ivanti EPMM 9.4.0.0.

  • Symantec Managed PKI: Use if you are using Symantec’s Certificate Enrollment solution. See Configuring Symantec Managed PKI for more information.
  • Symantec Web Services Managed PKI: Use if you are using the Symantec Web Services Managed PKI solution. See Configuring Symantec Web Services Managed PKI for more information.
  • User-Provided: Use if device users will upload their personal certificates. The user portal includes a certificate upload section for this purpose. A web services API is also available for you to upload user-provided certificates.

If Certificate Enrollment integration is not an option

If Certificate Enrollment integration is not an option for your organization, consider configuring Ivanti EPMM as an intermediate or root CA. See Certificate Enrollment settings for more information.

Supported variables for certificate enrollment

The following variables are supported for the required and optional fields when configuring integration with supported Certificate Authorities (CA’s):

  • $EMAIL$
  • $USERID$
  • $FIRST_NAME$
  • $LAST_NAME$
  • $DISPLAY_NAME$
  • $USER_DN$
  • $USER_SID$
  • $USER_UPN$
  • $USER_LOCALE$
  • $DEVICE_UUID$
  • $DEVICE_UUID_NO_DASHES$
  • $DEVICE_UDID$
  • $DEVICE_IMSI$
  • $DEVICE_IMEI$
  • $DEVICE_SN$
  • $DEVICE_ID$
  • $DEVICE_MAC$
  • $DEVICE_CLIENT_ID$
  • $USER_CUSTOM1$
  • $USER_CUSTOM2$
  • $USER_CUSTOM3$
  • $USER_CUSTOM4$
  • $REALM$
  • $TIMESTAMP_MS$
  • $RANDOM_16$
  • $RANDOM_32$
  • $RANDOM_64$
  • $CONFIG_UUID$*

* This substitution variable works only for the values under the Subject Alternative Names section for the following configurations: Entrust, Local, SCEP, Symantec Managed KPI. It is used for Sentry certificate-based tunneling (CBT).

Monitoring modifications to certificate enrollment settings

When administrators modify a certificate enrollment (CE) setting, they cause changes to configurations that use that CE setting. The modification history field identifies the administrator who made the CE setting change as the administrator who caused the configuration changes.