Certificates you configure in the System Manager

You configure the following certificates on the System Manager at Security > Certificate Mgmt:

Ivanti recommends to allow HTTPS traffic on port 8443 from the corporate network, limited to Ivanti applications only. This service is intended for EPMM server management and must have strictly controlled access.

Table 23.   Certificates you configure in the System Manager

Certificate

 

Portal HTTPS

Port 443 and 8443
  • The identify certificate and its certificate chain, including the private key, that identifies Ivanti EPMM, allowing a client (such as a browser or app) to trust Ivanti EPMM.
  • Used on port 8443 for the System Manager.
  • Must be a publicly trusted certificate from a well-known Certificate Authority if you are using mutual authentication.
  • Used on port 443 for these clients:
    • the Admin Portal
    • the self-service user portal.
    • Mobile@Work for iOS and Android device check-ins when using mutual authentication
    • Mobile@Work for macOS device check-ins
    • iOS MDM and macOS MDM check-ins
    • Windows device check-ins
    • Apps@Work on Android and iOS
  • Typically the same certificate as the Client TLS and iOS Enrollment certificates.
  • Presented to client as part of the TLS handshake when client initiates a request to Ivanti EPMM.

Mobile@Work Clients require that the portal HTTPS certificate support either CRLs (Certificate Revocation Lists) or OCSP.

Client transport layer security (TLS)

Port 9997
  • The identify certificate and its certificate chain, including the private key, that identifies Ivanti EPMM, allowing Mobile@Work for iOS and Android to trust Ivanti EPMM.
  • Used on port 9997 for Mobile@Work for iOS and Android device check-ins when not using mutual authentication.
  • Typically the same certificate as the Portal HTTPS and iOS Enrollment certificates.
  • Presented to Mobile@Work for iOS or Android as part of the TLS handshake when Mobile@Work initiates a request to Ivanti EPMM.
  • Beginning September 1, 2020, Apple requires that valid Transport Layer Security (TLS) certificates expire in 397 days or less. From Ivanti EPMM 10.8.0.0 through the latest release supported by Ivanti, the lifespan of self-signed TLS certificates are limited to fewer than 398 days.

iOS Enrollment
  • The identify certificate and its certificate chain, including the private key, that identifies Ivanti EPMM. Ivanti EPMM uses the identity certificate to sign the Apple MDM configurations that it sends to iOS and macOS devices.
  • Typically the same certificate as the Client TLS and Portal HTTPS certificates.

Splunk certificate

Configure the Splunk Client certificate in the Ivanti System Manager at Security > Certificate Mgmt > Splunk Client certificate.

Configure the Splunk server certificate in Ivanti System Manager at Data export> Splunk indexer page.