Supported certificate scenarios

Ivanti EPMM supports the following certificate scenarios:

Ivanti EPMM as a certificate authority

You can configure Ivanti EPMM as a local certificate authority (CA) for the following scenarios:

  • Ivanti EPMM as an Independent Root CA (self-signed)—Configure Ivanti EPMM as an independent root certificate authority if you are using a self-signed certificate. Use this option if your company does not have its own certificate authority and you are using Ivanti EPMM as the certificate authority.
  • Ivanti EPMM as an Intermediate CA—Use this option when your company already has its own certificate authority. Using Ivanti EPMM as an Intermediate CA gives your mobile device users the advantage of being able to authenticate to servers within your company intranet.

Using Ivanti EPMM as a certificate proxy

Ivanti EPMM can act as a proxy to a 3rd party CA by using APIs exposed by the 3rd party CA or the SCEP protocol to obtain certificates required by a Certificate Enrollment. This enables you to configure certificate-based authentication for devices.

Using Ivanti EPMM as a certificate proxy has the following benefits:

  • Certificate verifies Exchange ActiveSync, Wi-Fi and/or VPN connections, eliminating the need for passwords that are complex to manage
  • Ivanti EPMM can manage certificates by checking status against a CA's CRL, deactivating revoked certificates and requesting replacement when certificates are about to expire
  • Ivanti EPMM can detect and address certificate renewal and ensure that devices cannot reconnect to enterprise resources if they are out of compliance with company policies.
  • Simplified enrollment with the following:
    • MS Certificate Enrollment
    • Entrust
    • Local CA
    • Symantec Managed PKI
    • User provided certificates
    • Open Trust
    • Symantec Web Services Managed PKI

The following applications are supported.

  • Wi-Fi.

For information about how to create certificate enrollment settings in Ivanti EPMM, see Certificate Enrollment settings.

Using Ivanti EPMM as a certificate enrollment reverse proxy

Identity certificates with Microsoft Certificate Enrollment are supported. A root or intermediate certificate from a trusted certificate authority (CA) is required, and you must set up Ivanti EPMM to act as a SCEP reverse proxy.

Windows devices originate the certificate request. When the Windows device requests a certificate, the Ivanti EPMM acts as a Certificate Enrollment reverse proxy and communicates with the Certificate Enrollment server to deliver the certificate to the device.

Certificate scenarios supported for Windows 8.1 Phone

Table 1. Certificate scenarios supported for Windows 8.1 Phone


Windows Phone 8.1


Public trusted1

Ivanti EPMM as certificate authority


Certificate Enrollment proxy


Reverse Certificate Enrollment




  1. The portal certificate must be issued by a trusted third-party certificate authority for successful device registration.
  2. Supported for email, Wi-Fi, VPN configurations and in-house apps.