Configuring AppConnect apps to use derived credentials
Applicable derived credential providers and device platforms
|
Derived credential providers |
Any for iOS Entrust for Android |
|
Device platforms |
iOS, Android |
| • | Use cases for derived certificates in AppConnect apps |
| • | Configuring an AppConnect app configuration for the AppConnect app |
Use cases for derived certificates in AppConnect apps
Any AppConnect app can use certificates, and therefore certificates from a derived credential, as follows:
| • | The app can receive certificates that it expects in its app-specific app configuration. The app developer or vendor provides you the a list of key-value pairs, which you configure in the app’s AppConnect app configuration on the MobileIron Core Admin Portal. |
| • | iOS only: The app can authenticate to an enterprise service with a certificate, using the certificate authentication feature that the AppConnect library provides. |
This use case requires no development in the iOS AppConnect app. The AppConnect library that is built into each iOS AppConnect app receives the certificate and handles sending the certificate to the appropriate enterprise service.
Configuring an AppConnect app configuration for the AppConnect app
Configure an AppConnect app configuration so that the AppConnect app uses derived credentials. Follow the procedure for iOS AppConnect apps or Android AppConnect apps.
Procedure for iOS AppConnect apps
| 1. | On the Admin Portal, go to Policies & Configs > Configurations. |
| 2. | Select Add New > AppConnect > App Configuration. |
Alternatively, edit an existing AppConnect app configuration for the AppConnect app if you have one already.
| 3. | Enter a name for the AppConnect app configuration. |
| 4. | Enter a description for the AppConnect app configuration. |
| 5. | In the Application field: |
enter the case-sensitive bundle ID for the AppConnect app.
| - | For iOS AppConnect apps, enter the case-sensitive bundle ID for the AppConnect app. |
| - | For Android AppConnect apps, select the app from the dropdown. It is listed because you added it to the MobileIron Core App Catalog. |
| 6. | In the App-specific Configurations section: |
| a. | If the app expects key-value pairs for which the value is a certificate from a derived credential, add the following case-sensitive keys and their values: |
|
Key |
Value |
|||
|
<app-specific key name>
|
Select a client-provided certificate enrollment setting from the drop-down list. The setting must have the purpose (Authentication, Signing, Encryption, or Decryption) appropriate for this app-specific key. Depending on the selected setting, Mobile@Work delivers the corresponding certificate from the derived credential to the app. For the Decryption purpose, Mobile@Work delivers a list of certificates. |
| b. | If you are using the AppConnect feature that causes the AppConnect library within the app to handle certificate authentication to an enterprise service, add the following case-sensitive key-value pairs: |
|
Key |
Value |
||||||
|
MI_AC_CLIENT_CERT_1 |
Select a client-provided certificate enrollment setting from the drop-down list. The setting must have the purpose Authentication. |
||||||
|
MI_AC_CLIENT_CERT_1_RULE |
The URL for the website to which the certificate from the derived credential will be presented. Wildcards are permitted in the host name. Examples:
|
Repeat with similar keys with different numbers for other URLs. For example:
|
Key |
Value |
|
MI_AC_CLIENT_CERT_2 |
Select a client-provided certificate enrollment setting from the drop-down list. The setting must have the purpose Authentication. |
|
MI_AC_CLIENT_CERT_2_RULE |
myOtherServer.mycompany.com |
|
MI_AC_CLIENT_CERT_3 |
Select a client-provided certificate enrollment setting from the drop-down list. The setting must have the purpose Authentication. |
|
MI_AC_CLIENT_CERT_3_RULE |
YetAnotherServer.mycompany.com |
| 7. | Click Save. |
| 8. | Select the AppConnect app configuration that you just created. |
| 9. | Click More Actions > Apply to Label. |
| 10. | Select the labels to which you want to apply this policy. |
| 11. | Click Apply. |
Procedure for Android AppConnect apps
Note that Core automatically creates an AppConnect app configuration for an AppConnect app for Android when you upload the app to the App Catalog. This procedure assumes you use that AppConnect app configuration.
| 1. | On the Admin Portal, go to Policies & Configs > Configurations. |
| 2. | Select the AppConnect app configuration that Core automatically created for the app. It has the configuration type is APPCONFIG. |
| 3. | Click Edit. |
| 4. | In the App-specific Configurations section, add the following case-sensitive keys and their values to support the use of derived credentials: |
|
Key |
Value |
|||
|
<app-specific key name>
|
Select a client-provided certificate enrollment setting from the drop-down list. The setting must have the purpose (Authentication, Signing, or Encryption) appropriate for this app-specific key. Depending on the selected setting, the Secure Apps manager delivers the corresponding certificate from the derived credential to the app. |
| 5. | Click Save. |
| 6. | Select the AppConnect app configuration that you just created. |
| 7. | Click More Actions > Apply to Label. |
| 8. | Select the labels to which you want to apply this policy. |
Core already labeled it with the same labels you applied to the app.
| 9. | Click Apply. |
In the MobileIron Core AppConnect and AppTunnel Guide:
| • | “Configuring an AppConnect app configuration” |
| • | “Certificate authentication from AppConnect apps to enterprise services”, which includes details about what the value of the MI_AC_CLIENT_CERT_#_RULE keys can be |