Setting up certificate authentication

This section provides the required steps to set up a new dedicated local certification authority (local CA), provision its public certificate to Windows 10 devices (making it trusted), and configure certificate enrollment for Windows 10 devices. If Apps@Work finds a suitable device certificate to use for authentication, Apps@Work uses it instead of asking the user for a password.

Implement the work flow in the following order:

  1. Add a new local certification authority
  2. Create a label for all Windows 10 devices
  3. Provision the CA certificate to all Windows 10 devices
  4. Create a label for Windows 10 Desktop devices
  5. Distribute device certificates to Windows 10 Desktop devices
  6. Enable use of device certificates for Apps@Work authentication

This cert is only used for Apps@Work and not for VPN, email, or any other profile. When the cert is used for Apps@Work the it is converted to a cert that can only be used with the app.

Add a new local certification authority

This section supports a local CA. Other certification authorities such as Entrust, Microsoft NDES or Symantec Managed PKI are not supported.

To add a new local certification authority:

  1. In the Ivanti EPMM Admin Portal, go to Services > Local CA.
  2. Select Add > Generate Self-Signed Cert.

  3. Enter the following configuration:

    • Local CA Name: Contoso CA  (we are using Contoso as an example in this documentation; replace Contoso with your company name)
    • Key Type: RSA
    • Key Length: 2048
    • CSR Signature Algorithm: SHA256
    • Key Lifetime (in days): 3650
    • Issuer Name: CN=Contoso CA
  4. Click Generate.

  5. Enter the following configuration:

    • Hash Algorithm: HA256
    • Minimum Key Size Allowed: 2048
    • Key Lifetime (days): 365
  6. Keep other default values and click Save.
  7. Click the View Certificate link.
  8. Copy the base64-encoded public certificate (including the text -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- delimiters).

  9. Paste it to your text editor and save it to a file named Contoso.cer.

    You will use it in Provision the CA certificate to all Windows 10 devices.

  10. Click Close.

Create a label for all Windows 10 devices

If you already have a label for all Windows 10 devices, skip this section.

To create a label for all Windows 10 devices:

  1. In the Ivanti EPMM Admin Portal, go to Devices & Users > Labels.
  2. Click Add Label
  3. Select or enter the following values:
    • Label name: Windows 10
    • Common fields: Platform Name
    • Operator: Equals
  4. Value: Windows 10
  5. Verify that the expression is valid (with a green check mark).
  6. It should look like this: "common.platform_name" = "Windows 10"
  7. Click Save.

Provision the CA certificate to all Windows 10 devices

After creating a new self-signed (untrusted) CA in Add a new local certification authority, you will provision its public certificate to all Windows 10 to make it trusted in this step. Without it the devices will not use the provisioned device certificates.

To provision the CA certificate to all Windows 10 devices:

  1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.
  2. Click Add New > Certificate.
  3. Enter name Contoso CA.
  4. Click Browse next to File Name.
  5. Click Save > OK.
  6. Select the newly created CERTIFICATE setting and apply it to the Windows 10 label you created earlier.
  7. Click OK to confirm provisioning was successful.

Create a label for Windows 10 Desktop devices

If you already have a label for all Windows 10 Desktop devices, skip this section.

To create a label for Windows 10 Desktop devices:

  1. In the Ivanti EPMM Admin Portal, go to Devices & Users > Labels.
  2. Click Add Label.
  3. Select or enter the following values:
    • Label name: Windows 10 Desktop
    • Common fields: Platform Name
    • Operator: Equals
    • Value: Windows 10
    • Phone: False

  4. Verify that the expression is valid (with a green check mark).

    It should look like this: "common.platform_name" starts with "Windows 10" AND "windows_phone.wp_phone" = false

  5. Click Save.

Distribute device certificates to Windows 10 Desktop devices

Now that the new certification authority is trusted, you can distribute device certificates to Windows 10 Desktop devices. Apps@Work for Windows 10 expects that the certificate subject is the device UUID. The device UUID value is also provisioned by MDM to Apps@Work to find the certificate.

To distribute device certificates to Windows 10 Desktop devices:

  1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.
  2. Click Add New > Certificate Enrollment > Local.
  3. Enter or select the following values for configuration:
    • Name: Contoso Windows Certificate Authentication
    • Radio Button: Device Certificate
    • Local CAs: Contoso CA
    • Subject: CN=$DEVICE_UUID$
    • Key Usage: Signing and Encryption (check both)
    • Key Length: 2048
    • CSR Signature Algorithm: SHA256
  4. Click Issue Test Certificate.
  5. Verify that the values in the test certificate are correct.
  6. Click OK > Save.
  7. Select the newly created SCEP setting and apply it to the Windows 10 Desktop label.

Enable use of device certificates for Apps@Work authentication

The last step is to enable use of certificates for authentication. Under the hood we are changing Apache configuration by adding the local CA created in the first paragraph to the list of accepted authorities.

To enable use of device certificates for Apps@Work authentication:

  1. In the Ivanti EPMM Admin Portal, go to Settings > System Settings > Windows > Certificate Authentication.
  2. Check Enable client certificate authentication.
  3. Select Contoso Windows Certificate Authentication certificate enrollment configuration.
  4. Click Save.