Cert pinning for in-app registrations for iOS and Android devices

Beginning with Ivanti EPMM 11.4.0.0 release, you can set up and configure certificate pinning to prevent man-in-the-middle attacks for in-app registration of iOS and Android devices. From the Certificate Mgmt page, you can create a Pinned Server Certificate policy to deliver a set of certificates that clients can expect an Ivanti EPMM server to present during check-in and similar traffic. This feature is applicable for post-first-time use, for continuous assurance that the client is connecting to the correct Ivanti EPMM.

If none of the certificates configured match the active certificate in use on the Ivanti EPMM server, then devices will strictly honor the pinning policy and fail to connect until a correction of the certificate pinning policy is sent.

This pinning policy supports multiple entries to enable a smooth transition when the Ivanti EPMM server's certificate is about to expire. Administrators can include the renewal certificate before it is active on the server and keep the expiring certificate in this policy for seamless transition to the renewed certificate. Ivanti recommends administrator to set up Ivanti EPMM system certificate expiration alerts to be warned when EPMM's server certificate is about to expire.

Before you begin 

Mutual authentication (also known as certificate-based authentication) must be enabled to use this feature. For more information, see "Mutual authentication between devices and Ivanti EPMM" in the Managing Certificates and Configuring Certificate Authorities chapter of the Ivanti EPMM Device Management Guide for your operating system.

Procedure

  1. Log into System Manager.

  2. Go to Security > Certificate Mgmt > Create a Pinning Request.

    Figure 1. Create a Pinning Request menu

  3. If you want to add any additional certificates to the ones listed, click the link +Add Certificate (caption 1). An Upload Certificates window opens.
  4. Click Choose File and select the certificate you want to add.

  5. Click either Add another file or Upload Certificate. Any new certificates will display in the Certificates table.

    Figure 2. Certificates table with new sample certificates

  6. To download a Pinning Request for the certificates in the table, click Generate Pinning Request (caption 2). This action initiates the download of a pinning statement request file in native Mac or Windows format.

  7. Contact your Support representative to submit the pinning request for activation.

  8. When you have received the activated Pinning Statement from Ivanti support, click Upload Pinning Statement (caption 3) to upload your pinning statement to Ivanti EPMM.

  9. To view your certificate, click View in the View Certificate column of the Certificates table.