Certificates overview

MobileIron is capable of distributing and managing certificates.

Certificates are mainly used for the following purposes:

  • Establishing secure communications
  • Encrypting payloads
  • Authenticating users and devices

Certificates establish user identity while eliminating the need for users to enter user names and passwords on their mobile devices. Certificates streamline authentication to key enterprise resources, such as email, Wi-Fi, and VPN. Some applications require the use of certificates for authentication.

The following diagram compares a certificate to a passport:

Figure 1. Comparing certificates to a passport

The certificate includes information that identifies the following information:

  • the issuing certificate authority
  • acceptable uses for the certificate
  • information that enables the certificate to be validated.

The MobileIron solution provides the flexibility to use MobileIron Core as a local certificate authority, an intermediate certificate authority, or as a proxy for a trusted certificate authority.

Types of certificates

MobileIron uses the following types of certificates:

Table 1. Certificate types

Certificate type

Description

Portal HTTPS

The identify certificate and its certificate chain, including the private key, that identifies MobileIron Core, allowing a client (such as a browser or app) to trust MobileIron Core. Typically, this certificate is the same certificate as the Client TLS and iOS Enrollment certificates.

Core sends this certificate to the client as part of the TLS handshake over port 443 or 8443 when the client initiates a request to Core.

NOTE: This certificate must be a publicly trusted certificate from a well-known Certificate Authority if you are using mutual authentication.

Related topics 

“Certificates you configure on the System Manager” in the MobileIron Core System Manager Guide

Client TLS

The identify certificate and its certificate chain, including the private key, that identifies MobileIron Core, allowing Mobile@Work for iOS and Android to trust MobileIron Core. Typically, this certificate is the same certificate as the Portal HTTPS and iOS Enrollment certificates.

Core sends this certificate to Mobile@Work for iOS or Android as part of the TLS handshake over port 9997 when Mobile@Work initiates a request to Core.

Related topics 

“Certificates you configure on the System Manager” in the MobileIron Core System Manager Guide

MobileIron Core server SSL

Can be either self-signed or third-party certificates. By default, Core generates self-signed certificates. You can use trusted certificates from third-party certificate providers such as Verisign, Thawte, or Go Daddy. Kerberos and Entrust certificates are also supported.

Sentry server SSL

Identifies the Sentry to the client and secures communication, over port 443, between devices and the Sentry.

Client identity

Verifies the identity of users and devices and can be distributed through Certificate Enrollment.

Samsung Knox devices and certificates managed by MobileIron Core

Certificates managed by MobileIron Core are automatically removed from a Samsung Knox device when the device is retired, or when the label that applied the certificate to the device is removed from the certificate.