Mutual authentication between devices and Core

Core supports mutual authentication, which means that not only must the device trust Core, but Core must trust the device. Therefore, with mutual authentication, a registered device can continue to communicate with Core only if the device provides the right certificate to Core. Mutually authenticated communication between the device and Core enhances security.

A device authenticating to Core with a certificate is also known as certificate-based authentication to Core.

• Scenarios that can use mutual authentication
• Core port usage with devices, with and without mutual authentication
• The mutual authentication setting on Core
• When devices use mutual authentication
• Mutual authentication identity certificate for Core
• Mutual authentication client identity certificate
• Supported custom attributes for mutual authentication certificates
• New endpoint for mutual certification authentication
• Handling client identity certificate expiration for Android devices
• Handling client identity certificate expiration for iOS devices
• Mutual authentication and Apps@Work
• Enabling mutual authentication for Apple and Android devices
• Enabling TLS inspecting proxy support when using mutual authentication
• Enabling mutual authentication for Apple and Android devices
• Enabling mutual authentication for Apple and Android devices

Scenarios that can use mutual authentication

The device can present a client identity certificate to Core in the following cases:

Table 85.   Mutual authentication usage by platform

Platform	Mutual Authentication usage
iOS	Mobile@Work for iOS device check-in AppConnect for iOS check-in iOS MDM device check-in Apps@Work for iOS communication Certificate pinning policy
macOS	Mobile@Work for macOS device check-in macOS MDM device check-in
Android	Mobile@Work for Android device check-in, which includes AppConnect check-in Apps@Work for Android communication
Windows 10	Device check-in

Mutual authentication is not possible at the time Mobile@Work registers with Core, because the device receives its identity certificate during the registration process.

Core port usage with devices, with and without mutual authentication

The following table summarizes Core port usage for registration and further communication with devices. The port usage for some cases is different depending on whether mutual authentication is enabled.

Table 86.   Core port usage with devices with and without mutual authentication

	Without mutual authentication	With mutual authentication
Mobile@Work for iOS	9997	443
Mobile@Work for Android	9997	443
Mobile@Work for macOS	Not applicable. Mobile@Work for macOS always uses mutual authentication with Core.	443
iOS and macOS MDM agent provisioning and agent check-in	443	443
Windows 10	Not applicable. Windows 10 always uses mutual authentication with Core.	443

Port 9997 is configurable in the System Manager in Settings > Port Settings > Sync TLS Port. However, changing the port is rare.

The mutual authentication setting on Core

The setting on Core to enable mutual authentication is in the Admin Portal in Settings > System Settings > Security > Certificate Authentication. Whether the setting is automatically selected on new installations and upgrades is described by the following table.

Table 87.   Setting for mutual authentication on new installs and upgrades

	Setting to enable mutual authentication
New installations	Not selected. Mutual authentication is not enabled.
Upgrade from a previous version of Core in which mutual authentication was not enabled. Or Upgrade from a version of Core prior to Core 9.7.0.0 in which the Android mutual authentication setting was not enabled.	Not selected. Mutual authentication is not enabled.
Upgrade from a previous version of Core in which mutual authentication was enabled. Or Upgrade from a version of Core prior to Core 9.7.0.0 in which the Android mutual authentication setting was enabled.	Selected. Mutual authentication is enabled.

IMPORTANT: Once mutual authentication is enabled on Core, it cannot be disabled.

The mutual authentication setting impacts mutual authentication usage only on:

• Mobile@Work for Android
• Apps@Work for Android
• However, to enable mutual authentication for Apps@Work for Android:
  • You must also select Certificate Authentication for Apps@Work at Apps > Apps@Work Settings > App Storefront Authentication.
  • The device must be using Mobile@Work 10.2.0.0 for Android or supported newer versions.
• Mobile@Work 9.8 or supported newer versions.
• iOS MDM
• macOS MDM

The mutual authentication setting has no impact on mutual authentication usage on:

• Versions of Mobile@Work for iOS prior to Mobile@Work 9.8

  These versions of Mobile@Work for iOS never use mutual authentication.

• Apps@Work for iOS

• Apps@Work for iOS always uses mutual authentication from Core 11.3.0.0 and newer versions.

• Mobile@Work for macOS

  Mobile@Work for macOS always uses mutual authentication.

• Windows 10 devices

  Windows 10 devices always uses mutual authentication.

When devices use mutual authentication

Whether devices use mutual authentication depends on:

• The device platform
• Whether mutual authentication was enabled before upgrade
• Whether mutual authentication is enabled after upgrade
• Whether mutual authentication is enabled after a new installation
• For Mobile@Work for iOS, the version of Mobile@Work

The following table summarizes when devices use mutual authentication and the port they use in communication with Core.

Table 88.   Core mutual authentication (MA) setting impact to device communication

	New Core installation   or   Core upgrade in which: MA setting was NOT enabled before upgrade	New Core installation in which you enable MA setting after installation.   or   Core upgrade in which: MA setting was NOT enabled before upgrade but you enable it after the upgrade.	Core upgrade in which:   MA setting WAS enabled before upgrade
Mutual authentication setting	Not enabled	Enabled	Enabled
Device client
Android: Mobile@Work (all Mobile@Work versions that Core supports)	Port: 9997 MA: not used	Devices that register after enabling MA: Port: 443 MA: used Devices that were already registered: Port: 9997 MA: not used.	Port: 443 MA: used
iOS: Mobile@Work 9.8 or supported newer versions	Port: 9997 MA: not used	Devices that register after enabling MA: Port: 443 MA: used Devices that were already registered: Port: 9997 MA: not used.	Devices that register after enabling MA: Port: 443 MA: used Devices that were already registered: Port: 9997 MA: not used.
iOS: Mobile@Work versions prior to 9.8	Port: 9997 MA: not used	Port: 9997 MA: not used	Port: 9997 MA: not used
iOS: iOS MDM check-in	Port: 443 MA: not used	Port: 443 MA: used	Port: 443 MA: used.
macOS: Mobile@Work	Port: 443 MA: used	Port: 443 MA: used	Port: 443 MA: used
macOS macOS MDM agent check-in	Port: 443 MA: not used	Port: 443 MA: used	Port: 443 MA: used
Windows 10	Port: 443 MA: used	Port: 443 MA: used	Port: 443 MA: used

On new Core installations (not upgrades), if you enable mutual authentication before any devices register, you can disable port 9997 (in the System Manager in Settings > Port Settings > Sync TLS Port) because it is not used. If devices were registered before enabling mutual authentication, disabling the port causes those devices to not be able to check-in.

Mutual authentication identity certificate for Core

You provide an identity certificate for Core to use in mutual authentication in the Portal HTTPS certificate. You configure this certificate on the System Manager at Security > Certificate Mgmt. The certificate is the identify certificate and its certificate chain, including the private key, that identifies Core, allowing the devices to trust Core. This certificate must be a publicly trusted certificate from a well-known Certificate Authority when using mutual authentication.

Mutual authentication client identity certificate

You enable mutual authentication for iOS and Android devices in the Admin Portal in Settings > System Settings > Security > Certificate Authentication. The certificate enrollment setting specifies how the identity certificate that the device will present to Core is generated.

By default, the certificate enrollment setting for mutual authentication is generated with Core as a local Certificate Authority (CA). Most customers use the default selection. However, if necessary due to your security requirements, you can instead specify a SCEP certificate enrollment setting that you create.

IMPORTANT:

• If you use a SCEP certificate enrollment setting for mutual authentication, you cannot use it for any other purpose. For example, you cannot use it in VPN or wi-fi configurations.
• If you use a SCEP certificate enrollment setting that uses an intermediate CA, make sure that all the intermediate CA certificates and the root CA certificate are included in Core's trusted root certificates. See "Managing trusted certificates" in the Getting Started with Core
• See:
  • Handling client identity certificate expiration for Android devices
  • Handling client identity certificate expiration for iOS devices

Supported custom attributes for mutual authentication certificates

From Core release 10.8.0.0 through the latest release supported by Ivanti, Core supports only the following list of custom attributes in the Subject field for mutual authentication enrollment certificates:

• $RANDOM_16$
• $RANDOM_32$
• $RANDOM_64$
• $CONFIG_UUID$
• $TIMESTAMP_MS$

If, after upgrading to release 10.8.0.0 or supported newer versions, the existing selected mutual authentication certificate includes unsupported attributes, Core will replace them with the value $RANDOM_32$ for new device registrations and for existing device certificate renewals.

The Admin portal > Settings > System Settings > Client Mutual Certificate Authentication > Certificate Enrollment setting drop-down menu displays only the Simple Certificate Enrollment Protocol (SCEP) configurations with the five supported custom attributes in the Subject field. Configurations with other custom attributes do not display.

New endpoint for mutual certification authentication

Once mutual authentication is enabled on Core by the administrator, new mutual authentication devices endpoints are available for use by iOS and Android clients. The existing (old) OAuth endpoint is not protected by 2FA or mutual certificate authentication and is vulnerable to password spraying and DOS attacks. There is an option for the administrator to disable the original OAuth endpoint and utilize the new endpoint.

If mutual authentication migration is not enabled, then older client installations will continue to lack mutual authentication functionality.

This feature is applicable on Mobile@Work for Android version 11.1.0.0 and Mobile@Work for iOS version 12.11.10 or supported newer versions.

Below is an example scenario of the old OAuth versus the new endpoint:

Table 89.  Old OAuth vs New endpoint

New endpoint	Old OAuth
Not configured	Enabled (old OAuth endpoint works)
Enabled	Enabled (new endpoint works)
Enabled	Disabled (new endpoint works)
Disabled	Disabled (Error)

Note the following:

You can have mutual certificate authentication on Mobile@Work clients (both iOS and Android) and on the watchOS app, however, it will mean less security. Ivanti does not recommend putting mutual certificate authentication on the watchOS app.

To implement this setup, two endpoints are required:

1. A current OAuth endpoint that can be used by watchOS app, an old or updated Mobile@Work for iOS, OR an old or updated Mobile@Work for Android and cURL script.

2. A new endpoint that will always require mutual certificate authentication.

Before you begin 

• Administrators should have enabled mutual certificate authentication and have migrated all the devices. Check-ins will occur on port 443 and not sync the TLS port 9997.

• Clients need to be upgraded to the version that supports the new endpoint.

Procedure 

1. Go to Settings > System Settings.

2. In the left navigational pane, click Security > Certificate Authentication.

   The Client Mutual Certification Authentication page displays in the right pane.

3. Use the below guidelines to complete this form.

   Table 90.  Client Mutual Certification Authentication

   Item	Description
   Enable client mutual certificate authentication on Android client, iOS client, iOS and macOS MDM and AppConnect communications	Selecting the check box is a pre-requisite to enabling the new endpoint.
   Certificate Enrollment Setting	Select System-Mutual Auth CE from the drop-down.
   Enable new OAuth Endpoint with Mutual certificate Authentication	Select this to enable the new endpoint. If this field is greyed out, it means you did not meet the pre-requisite requirements of enabling mutual certificate authentication and migrating all client devices. See Before you begin.
   Disable legacy OAuth Endpoint	This should only be done after the client devices have been updated to Mobile@Work for Android version X and Mobile@Work for iOS version X. When selecting the Disable legacy OAuth Endpoint box, a confirmation displays. Click Disable. A second confirmation dialog box displays, click Disable. Once disabled, the WatchOS app will no longer work. This setting can be reversed by de-selecting it. Before disabling the legacy OAuth endpoint, make sure that all devices are migrated to the new endpoint.

4. Click Save.

Handling client identity certificate expiration for Android devices

Mobile@Work 10.1 for Android handles the expiration of the client identity certificate used for mutual authentication between Mobile@Work for Android and Core. In the Admin Portal, on the sync policy for the device, specify a renewal window for the certificate. The renewal window is a number of days prior to the certificate expiration. When Mobile@Work determines the renewal window has begun, it requests a new certificate from Core.

If Mobile@Work is out of contact with Core during the renewal window, but is in contact again within 30 days after the expiration, Mobile@Work requests a new certificate from Core.

If Mobile@Work is not in contact with Core either during the renewal window or within 30 days after the expiration, the device will be retired and will need to re-register with Core.

Mobile@Work versions prior to 10.1 do not support certificate expiration. When the certificate expires, the device user must re-register Mobile@Work.

Procedure 

1. In the Admin Portal, go tos Policies & Configs > Policies.
2. Select the appropriate sync policy.

3. For Mutual Certificate Authentication Renewal Window, enter the number of days prior to the expiration date that you want to allow devices to renew their identity certificate. Enter a value between 1 and 60.

   A blank value defaults to 60 days.

4. Click Save.
5. Click OK.

Handling client identity certificate expiration for iOS devices

Mobile@Work 11.1.0 for iOS handles the expiration of the client identity certificate used for mutual authentication between Mobile@Work for iOS and Core version 10.3.0.0 or supported newer versions. In the Admin Portal, on the sync policy for the device, specify a renewal window for the certificate. The renewal window is a number of days prior to the certificate expiration. When Mobile@Work determines the renewal window has begun, it requests a new certificate from Core.

If Mobile@Work is out of contact with Core during the renewal window, but is in contact again within 30 days after the expiration, Mobile@Work requests a new certificate from Core.

If Mobile@Work is not in contact with Core either during the renewal window or within 30 days after the expiration, the device will be retired and will need to re-register with Core.

Mobile@Work versions prior to 11.1.0 do not support certificate expiration. When the certificate expires, the device user must re-register Mobile@Work.

Procedure 

1. In the Admin Portal, go to Policies & Configs > Policies.
2. Select the appropriate sync policy.

3. For Mutual Certificate Authentication Renewal Window, enter the number of days prior to the expiration date that you want to allow devices to renew their identity certificate. Enter a value between 1 and 60.

   A blank value defaults to 60 days.

4. Click Save.
5. Click OK.

Mutual authentication and Apps@Work

Both Apps@Work for Android and Apps@Work for iOS can use mutual authentication.

Apps@Work for iOS uses mutual authentication if you select Certificate Authentication at Apps > Apps@Work Settings > App Storefront Authentication. It does not depend on the mutual authentication setting at Settings > System Settings > Security > Certificate Authentication.

However, Apps@Work for Android uses mutual authentication only if you do both of the following:

• Select Certificate Authentication at Apps > Apps@Work Settings > App Storefront Authentication.
• Enable the mutual authentication setting at Settings > System Settings > Security > Certificate Authentication.

Related topics 

• "Setting up Apps@Work for iOS and macOS" in the Core Apps@Work Guide
• "Apps@Work in Mobile@Work for Android in the Core Apps@Work Guide

Enabling mutual authentication for Apple and Android devices

The Core mutual authentication setting enables mutual authentication for:

• Mobile@Work for Android

• Apps@Work for Android

  • You must also select Certificate Authentication for Apps@Work at Apps > Apps@Work Settings > App Storefront Authentication.
  • The device must be using Mobile@Work 10.2.0.0 for Android or supported newer versions.
• Mobile@Work 9.8 for iOS or supported newer versions.
• iOS MDM
• macOS MDM

Note the following:

• The setting is automatically enabled in the cases described in The mutual authentication setting on Core.
• After you enable mutual authentication, you cannot disable it.

Before you begin 

1. As discussed in in Mutual authentication client identity certificate, create a SCEP certificate enrollment setting if you do not want to use the default local certificate enrollment setting for mutual authentication. The SCEP setting must select the Decentralized option. For details, see Certificate Enrollment settings.

   When you enable mutual authentication, change the certificate enrollment selection for mutual authentication before any more devices register. Any devices already registered and using mutual authentication will not be able to check-in with Core. Those devices will need to re-register with Core. Note that devices already registered but not using mutual authentication can continue to check-in.

2. If you are using iOS devices with the Apps@Work web clip using certificate authentication, change the Apps@Work Port field in the System Manager in Settings > Port Settings. Ivanti recommends port 7443. However, you can use any port except the port that the Admin Portal uses, which is either 443 or 8443, which you specify in the MIFS Admin Port field in the System Manager in Settings > Port Settings.

Procedure 

1. In the Admin Portal, go to Settings > System Settings > Security > Certificate Authentication.
2. Select Enable client mutual certification on Android client, iOS client and Apple MDM communication.
3. In the Certificate Enrollment Configuration field, most customers use the default selection. Otherwise, select a SCEP certificate enrollment setting.
4. Click Save.

Related topics 

• “Setting up Apps@Work for iOS and macOS” in the Core Apps@Work Guide
• "Port settings" in the Core System Manager Guide
• “Apps@Work for Android authentication to Core” in the Core Apps@Work Guide

Enabling TLS inspecting proxy support when using mutual authentication

Contact Ivanti Professional Services or an Ivanti certified partner to set up this deployment.

Core can support a TLS inspecting proxy to handle HTTPS requests from your devices to Core when using mutual authentication. For example, you can use a TLS offload proxy such as an Apache or F5 server. This proxy is also known as a Trusted Front End. It intercepts and decrypts HTTPS network traffic and when it determines that the final destination is Core, it re-encrypts and forwards the traffic to Core. The devices that register to Core (using port 443) must send HTTPS requests to the TFE rather than to Core. Also, the TFE must be provisioned with digital certificates that establish an identity chain of trust with a legitimate server verified by a trusted third-party certificate authority.

Related topics 

"Advanced: Trusted Front End" in the Core System Manager Guide

Migrating Mobile@Work for Android to use mutual authentication

For devices that register after enabling mutual authentication, Mobile@Work uses port 443 for device check-ins. However, devices that were already registered continue to use port 9997. You can migrate Mobile@Work for Android from using port 9997 without mutual authentication to using port 443 with mutual authentication. The device users do not need to re-register with Core.

Before you begin 

Instruct Android device users to upgrade to Mobile@Work 10.1 or supported newer versions. Prior Mobile@Work releases do not support migration.

Procedure 

1. In the Admin Portal, go to Policies & Configs > Policies.
2. Select the sync policy for the devices that you want to migrate. Select Edit.
3. In the Modify Sync Policy dialog box, select Migrate Mobile@Work Client.
4. Click Save.
5. Click OK.

On the next device check-in, Core will send the mutual authentication client identity certificate to the device. In all subsequent device check-ins, the device will use mutual authentication on port 443.

On that first device check-in, the device's client migration status changes to Pending. After Core has sent the mutual authentication client identity certificate to the device, the client migration status changes to Success. You can search on this value in the Client Migration Status field in Advanced Search on Devices & Users > Devices.

Related topics 

When devices use mutual authentication