Configuring a client-provided certificate enrollment setting

This section covers client-provided certificate enrollment settings.

Client-provided certificate enrollment settings are applicable only to iOS and Android devices.

Overview of client-provided certificate enrollment settings

Derived credentials are identity certificates derived from the certificates on a smart card. The derived credentials are stored on the device in [email protected] on iOS devices, and in Secure Apps Manager on Android devices. AppConnect apps on mobile devices can use derived credentials for these purposes:

  • Authentication to backend servers, such as email servers, web servers, or app servers
  • Digital signing
  • Encryption
  • Decryption of older emails for which the original encryption certificate has expired (iOS only)
  • Authenticating the user to Standalone Sentry when using AppTunnel with Kerberos authentication to the backend server

You create a client-provided certificate enrollment setting when you want an AppConnect app to use derived credentials for one of these purposes. You then refer to the client-provided certificate enrollment in the appropriate setting.

The certificate enrollment setting is called client-provided because [email protected] for iOS or Secure Apps Manager for Android, known as client apps, provide the identity certificate to the AppConnect app.

Only the following settings can refer to a client-provided certificate enrollment setting:

  • AppConnect app configuration

    It can refer to a client-provided certificate enrollment setting in:

    • The value in a key-value pair in its App-specific Configurations section.
    • The identity certificate in its AppTunnel Rules section.
  • [email protected] setting

    It can refer to a client-provided certificate enrollment setting in:

    • the value in a key-value pair in its Custom Configurations section
    • the identity certificate in its AppTunnel Rules section
  • [email protected] setting

    It can refer to a client-provided certificate enrollment setting in:

    • the value in a key-value pair in its Custom Configurations section
    • the identity certificate in its AppTunnel Rules section

Make sure the version of [email protected] for iOS or the Secure Apps Manager for Android on the device supports client-provided certificate enrollment settings as shown in the following table:

Reference to the client-provided certificate enrollment setting

iOS:

 

[email protected]

prior to 8.5

iOS:

 

[email protected] 8.5 and 8.6

iOS:

 

Mobil[email protected] 9.0 or supported newer versions

Android:

 

All versions of Secure Apps Manager supported or compatible with Ivanti EPMM

In key-value pairs

Not supported

Supported

Supported

Supported

In AppTunnel rules

Not supported

Not supported

Supported

Not supported

  • Ivanti Derived Credentials Guide for EPMM
  • PIV-D Manager for iOS Release Notes

  • PIV-D Manager for Android Release Notes

Specifying a client-provided certificate enrollment setting

To specify a client-provided certificate enrollment setting:

  1. Go to Policies & Configs > Configurations.
  2. Select Add New > Certificate Enrollment > Client-Provided.
  3. In the New Client-Provided Certificate Enrollment Setting dialog box, use the following guidelines to specify your settings.

    Item

    Description

    Name

    Enter brief text that identifies this certificate enrollment setting.

    Description

    Enter additional text that clarifies the purpose of this certificate enrollment setting.

    Select purpose

    Select one of the following, depending on the intended use of the client-provided identity certificate:

    Authentication

    Decryption

    Encryption

    Signing

    Provider

    Select the derived credential provider.

     
  4. Click Save.