Configuring certificate pinning for registered devices

Implementing TLS server authentication certificate pinning in the client makes sure that the application's traffic is protected against rogue "trusted" certificates that may have been maliciously installed on the device. Pinning occurs when, during the TLS handshake, a client verifies the server's sent certificate against an authoritative statement containing the certificates the client is expecting from the server. Certificate pinning protects against Man-in-the-middle attacks that compromise confidential data.

Example case study: Man-in-the-middle attacks would allow the attacker to impersonate your Core server and send commands to the device. This could result in device compromise and confidential data leakage.

Ivanti recommends creating a Certificate Pinning policy so that Mobile@Work will only trust legitimate Core TLS server certificates in the certificate pinning policy. The Certificate Pinning policy works on Mobile@Work 11.3.0.0 for Android and supported newer versions. Mobile@Work 12.11.30 for iOS and supported newer versions also works with Certificate Pinning.

Implementing this feature is applicable for steady state assurance that the client is connecting to an authentic Core that presents a TLS server certificate that is under your control.

For daily use cases such as check-in, Core implements the TLS server authentication certificate pinning policy in Mobile@Work. Mobile@Work will only trust Core if it presents one of the pinned certificates in its pinning configuration. Once a device is registered to Core, Mobile@Work will hold the pinned certificates and it will fail if presented with an unexpected certificate.

Steady state pinning must be used in conjunction with the mutual authentication client identity feature. Pinning is only implemented on port 443, not on port 9997. As a result, pinning only has effect when mutual authentication is active and devices are accessing port 443 exclusively. For more information, see Mutual authentication between devices and Core.

A certificate pinning policy supports multiple entries to enable a smooth transition when the Core server's certificate is about to expire. Administrators can include the renewal certificate before it is active on the server and keep the expiring certificate in this policy for seamless transition to the renewed certificate.

Procedure 

  1. In Core, go to Policies & Configs > Configurations.
  2. Click Add New > Certificates.

    The New Certificate Setting dialog box opens.

  3. Enter the Name, Description and upload the certificate file that is referenced to by the Pinned Server Certificate Policy.
  4. Click Save.

    Administrators can do the above steps multiple times if the current certificate is about to expire and already have the new one.

  5. Go to Policies & Configs > Policies.

  6. Click Add New > Pinned Server Certificate Policy.

    The Add Pinned Server Certificate Policy dialog box opens.

  7. Use the below form to enter your settings:

    Item

    Description

    Name

    Enter a name for the policy.

    Status

    Select the relevant radio button to indicate whether the policy is Active or Inactive.

    Only one active policy can be applied to a device.

    Priority

    Specifies the priority of this policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is available.

    Select Higher than or Lower than, then select an existing policy from the drop-down list.

    For example, to give Policy A higher priority than Policy B, you would select “Higher than” and “Policy B”.

    Description

    Enter an explanation of the purpose of this policy.

    Trusted Certificates

    1. In Trusted Certificates, click the Add+ button.

    2. A new drop-down field displays; select an option based on the new certificate you just created.

    Administrators can delete unwanted certificates by clicking the x in the row.

  8. Click Save

    The new Pinned Server Certificate policy displays in the Policies page.