Certificates you configure in the System Manager

You configure the following certificates on the System Manager at Security > Certificate Mgmt:

Table 23.   Certificates you configure in the System Manager

Certificate

 

Portal HTTPS

Port 443 and 8443

  • The identify certificate and its certificate chain, including the private key, that identifies Core, allowing a client (such as a browser or app) to trust Core.
  • Used on port 8443 for the System Manager.
  • Must be a publicly trusted certificate from a well-known Certificate Authority if you are using mutual authentication.
  • Used on port 443 for these clients:
    • the Admin Portal
    • the self-service user portal.
    • [email protected] for iOS and Android device check-ins when using mutual authentication
    • [email protected] for macOS device check-ins
    • iOS MDM and macOS MDM check-ins
    • Windows device check-ins
    • [email protected] on Android and iOS
  • Typically the same certificate as the Client TLS and iOS Enrollment certificates.
  • Presented to client as part of the TLS handshake when client initiates a request to Core.

[email protected] for Android requires that the Portal HTTPS certificate supports CRLs (Certificate Revocation Lists).

Client transport layer security (TLS)

Port 9997

  • The identify certificate and its certificate chain, including the private key, that identifies Core, allowing [email protected] for iOS and Android to trust Core.
  • Used on port 9997 for [email protected] for iOS and Android device check-ins when not using mutual authentication.
  • Typically the same certificate as the Portal HTTPS and iOS Enrollment certificates.
  • Presented to [email protected] for iOS or Android as part of the TLS handshake when [email protected] initiates a request to Core.
  • Beginning September 1, 2020, Apple requires that valid Transport Layer Security (TLS) certificates expire in 397 days or less. From Ivanti EPMM 10.8.0.0 through the latest release supported by MobileIron, the lifespan of self-signed TLS certificates are limited to fewer than 398 days.

iOS Enrollment

  • The identify certificate and its certificate chain, including the private key, that identifies Ivanti EPMM. Ivanti EPMM uses the identity certificate to sign the Apple MDM configurations that it sends to iOS and macOS devices.
  • Typically the same certificate as the Client TLS and Portal HTTPS certificates.