Mutual authentication between devices and Ivanti EPMM
Ivanti EPMM supports mutual authentication, which means that not only must the device trust Ivanti EPMM, but Ivanti EPMM must trust the device. Therefore, with mutual authentication, a registered device can continue to communicate with Ivanti EPMM only if the device provides the right certificate to Ivanti EPMM. Mutually authenticated communication between the device and Ivanti EPMM enhances security.
A device authenticating to Ivanti EPMM with a certificate is also known as certificate-based authentication to Ivanti EPMM.
- Benefits of mutual certificate authentication
- Scenarios that can use mutual authentication
- Ivanti EPMM port usage with devices, with and without mutual authentication
- The mutual authentication setting on Ivanti EPMM
- When devices use mutual authentication
- Mutual authentication identity certificate for Ivanti EPMM
- Mutual authentication client identity certificate
- Supported custom attributes for mutual authentication certificates
- New endpoint for mutual certification authentication
- Handling client identity certificate expiration for Android devices
- Mutual authentication between devices and Ivanti EPMM
- Mutual authentication and [email protected]
- Enabling mutual authentication for Apple and Android devices
- Enabling TLS inspecting proxy support when using mutual authentication
- Enabling mutual authentication for Apple and Android devices
- Enabling mutual authentication for Apple and Android devices
Benefits of mutual certificate authentication
Without mutual certificate authentication, only the mobile client verifies Ivanti EPMM's certificate. The client is not required to provide its certificate to the server.
With mandatory mutual certificate authentication, Ivanti EPMM demands that the client also provide its certificate. Ivanti EPMM then verifies the certificate provided by the client.
Mutual certificate authentication improves security as it is not easy for an attacker to produce a certificate to impersonate the client.
Ivanti strongly recommends that you enable mutual authentication.
Scenarios that can use mutual authentication
The device can present a client identity certificate to Ivanti EPMM in the following cases:
Platform |
Mutual Authentication usage |
iOS |
|
macOS |
|
Android |
|
Windows 10 |
Device check-in |
Mutual authentication is not possible at the time Ivanti [email protected] registers with Ivanti EPMM, because the device receives its identity certificate during the registration process.
Ivanti EPMM port usage with devices, with and without mutual authentication
The following table summarizes Ivanti EPMM port usage for registration and further communication with devices. The port usage for some cases is different depending on whether mutual authentication is enabled.
|
Without mutual authentication |
With mutual authentication |
Ivanti [email protected] for iOS |
9997 |
443 |
Ivanti [email protected] for Android |
9997 |
443 |
Ivanti [email protected] for macOS |
Not applicable. Ivanti [email protected] for macOS always uses mutual authentication with Ivanti EPMM. |
443 |
iOS and macOS MDM agent provisioning and agent check-in |
443 |
443 |
Windows 10 |
Not applicable. Windows 10 always uses mutual authentication with Ivanti EPMM. |
443 |
Port 9997 is configurable in the System Manager in Settings > Port Settings > Sync TLS Port. However, changing the port is rare.
The mutual authentication setting on Ivanti EPMM
The setting on Ivanti EPMM to enable mutual authentication is in the Admin Portal in Settings > System Settings > Security > Certificate Authentication. Whether the setting is automatically selected on new installations and upgrades is described by the following table.
|
Setting to enable mutual authentication |
New installations |
Not selected. Mutual authentication is not enabled. |
Upgrade from a previous version of Ivanti EPMM in which mutual authentication was not enabled. |
Not selected. Mutual authentication is not enabled.
|
Upgrade from a previous version of Ivanti EPMM in which mutual authentication was enabled. |
Selected. Mutual authentication is enabled. |
IMPORTANT: Once mutual authentication is enabled on Ivanti EPMM, it cannot be disabled.
The mutual authentication setting impacts mutual authentication usage only on:
- Ivanti [email protected] for Android
- [email protected] for Android
- However, to enable mutual authentication for [email protected] for Android:
- You must also select Certificate Authentication for [email protected] at Apps > [email protected] Settings > App Storefront Authentication.
- The device must be using Ivanti [email protected] 10.2.0.0 for Android or supported newer versions.
- Ivanti [email protected] 9.8 or supported newer versions.
- iOS MDM
- macOS MDM
The mutual authentication setting has no impact on mutual authentication usage on:
- Versions of Ivanti [email protected] for iOS prior to Ivanti [email protected] 9.8. These versions of Ivanti [email protected] for iOS never use mutual authentication.
- [email protected] for iOS. [email protected] for iOS always uses mutual authentication from Ivanti EPMM 11.3.0.1 and newer versions.
- Ivanti [email protected] for macOS. Ivanti [email protected] for macOS always uses mutual authentication.
- Windows 10 devices. Windows 10 devices always uses mutual authentication.
When devices use mutual authentication
Whether devices use mutual authentication depends on:
- The device platform
- Which version of Ivanti EPMM your network is using
- For Ivanti [email protected] for iOS, the version of Ivanti [email protected]
- Whether mutual authentication was enabled before upgrade
- Whether mutual authentication is enabled after upgrade
- Whether mutual authentication is enabled after a new installation
The following table summarizes when devices use mutual authentication and the port they use in communication with Ivanti EPMM.
|
New Ivanti EPMM installation
or
Ivanti EPMM upgrade MA setting was NOT enabled before upgrade |
New Ivanti EPMM installation in which you enable MA setting after installation.
or
Ivanti EPMM upgrade in which: MA setting was NOT enabled before upgrade but you enable it after the upgrade. |
Ivanti EPMM upgrade in which:
MA setting WAS enabled before upgrade |
Mutual authentication setting |
Not enabled |
Enabled |
Enabled |
Device client |
|||
Android: Ivanti [email protected] (all Ivanti [email protected] versions that Ivanti EPMM supports) |
Port: 9997 MA: not used |
Devices that register after enabling MA:
Devices that were already registered:
|
Port: 443 MA: used |
iOS: Ivanti [email protected] 9.8 or supported newer versions |
Port: 9997 MA: not used |
Devices that register after enabling MA:
Devices that were already registered:
|
Devices that register after enabling MA:
Devices that were already registered:
|
iOS: Ivanti [email protected] versions prior to 9.8 |
Port: 9997 MA: not used |
Port: 9997 MA: not used |
Port: 9997 MA: not used |
iOS: iOS MDM check-in |
Port: 443 MA: not used |
Port: 443 MA: used |
Port: 443 MA: used. |
macOS: Ivanti [email protected] |
Port: 443 MA: used |
Port: 443 MA: used |
Port: 443 MA: used |
macOS macOS MDM agent check-in |
Port: 443 MA: not used |
Port: 443 MA: used |
Port: 443 MA: used |
Windows 10
|
Port: 443 MA: used |
Port: 443 MA: used |
Port: 443 MA: used |
On new Ivanti EPMM installations (not upgrades), if you enable mutual authentication before any devices register, you can disable port 9997 (in the System Manager in Settings > Port Settings > Sync TLS Port) because it is not used. If devices were registered before enabling mutual authentication, disabling the port causes those devices to not be able to check-in.
Mutual authentication identity certificate for Ivanti EPMM
You provide an identity certificate for Ivanti EPMM to use in mutual authentication in the Portal HTTPS certificate. You configure this certificate on the System Manager at Security > Certificate Mgmt. The certificate is the identify certificate and its certificate chain, including the private key, that identifies Ivanti EPMM, allowing the devices to trust Ivanti EPMM. This certificate must be a publicly trusted certificate from a well-known Certificate Authority when using mutual authentication.
Mutual authentication client identity certificate
You enable mutual authentication for iOS and Android devices in the Admin Portal in Settings > System Settings > Security > Certificate Authentication. The certificate enrollment setting specifies how the identity certificate that the device will present to Ivanti EPMM is generated.
By default, the certificate enrollment setting for mutual authentication is generated with Ivanti EPMM as a local Certificate Authority (CA). Most customers use the default selection. However, if necessary due to your security requirements, you can instead specify a SCEP certificate enrollment setting that you create. In that case, see Create the SCEP enrollment certificate
Bridging old and new client mutual authentication CA certificates
For Ivanti EPMM systems prior to 11.5.0.0, updating a Certificate Authority (CA) certificate for client mutual authentication required re-registering all devices currently enrolled under that certification. With Ivanti EPMM 11.5.0.0 and supported newer versions, you can:
- Upload and select a new client mutual authentication certificate for devices going forward
- Retire the previous certificate, while still allow existing devices to check in.
Procedure
-
From the Admin portal, navigate to Settings > System Settings > Security > Certificate Authentication.
-
From the Client Mutual Certificate Authentication page, select the Certificate Enrollment Setting where the updated certificate will be in effect.
-
Click Upload CA Chain and follow the prompts. Once uploaded, the new CA will be in effect for new installations, while the older CA is still accessible to devices with older installations. You can see these older CA certificates in the Previously Trusted Certificates Enrollment Settings table, below the Upload button.
See Handling client identity certificate expiration for Android devices and Mutual authentication between devices and Ivanti EPMM
Supported custom attributes for mutual authentication certificates
From Ivanti EPMM release 10.8.0.0 through the latest release supported by Ivanti, Inc, Ivanti EPMM supports only the following list of custom attributes in the Subject field for mutual authentication enrollment certificates:
- $RANDOM_16$
- $RANDOM_32$
- $RANDOM_64$
- $CONFIG_UUID$
- $TIMESTAMP_MS$
If, after upgrading to release 10.8.0.0 or supported newer versions, the existing selected mutual authentication certificate includes unsupported attributes, Ivanti EPMM will replace them with the value $RANDOM_32$ for new device registrations and for existing device certificate renewals.
The Admin Portal > Settings > System Settings > Client Mutual Certificate Authentication > Certificate Enrollment setting drop-down menu displays only the Simple Certificate Enrollment Protocol (SCEP) configurations with the five supported custom attributes in the Subject field. Configurations with other custom attributes do not display.
New endpoint for mutual certification authentication
Once mutual authentication is enabled on Ivanti EPMM by the administrator, new mutual authentication devices endpoints are available for use by iOS and Android clients. The existing (old) OAuth endpoint is not protected by 2FA or mutual certificate authentication and is vulnerable to password spraying and DOS attacks. There is an option for the administrator to disable the original OAuth endpoint and utilize the new endpoint.
If mutual authentication migration is not enabled, then older client installations will continue to lack mutual authentication functionality.
This feature is applicable on Ivanti [email protected] for Android version 11.1.0.0 and Ivanti [email protected] for iOS version 12.11.10 or supported newer versions.
Below is an example scenario of the old OAuth versus the new endpoint:
New endpoint |
Old OAuth |
Not configured |
Enabled (old OAuth endpoint works) |
Enabled | Enabled (new endpoint works) |
Enabled | Disabled (new endpoint works) |
Disabled |
Disabled (Error) |
Note the following: You can have mutual certificate authentication on Ivanti [email protected] clients (both iOS and Android) and on the watchOS app, however, it will mean less security. Ivanti, Inc does not recommend putting mutual certificate authentication on the watchOS app.
To implement this setup, two endpoints are required:
- A current OAuth endpoint that can be used by watchOS app, an old or updated Ivanti [email protected] for iOS, OR an old or updated Ivanti [email protected] for Android and cURL script.
- A new endpoint that will always require mutual certificate authentication.
Before you begin
- Administrators should have enabled mutual certificate authentication and have migrated all the devices. Check-ins will occur on port 443 and not sync the TLS port 9997.
- Clients need to be upgraded to the version that supports the new endpoint.
Procedure
-
Go to Settings > System Settings.
-
In the left navigational pane, click Security > Certificate Authentication.
The Client Mutual Certification Authentication page displays in the right pane.
-
Use the below guidelines to complete this form.
Table 84. Client Mutual Certification Authentication Item
Description
Enable client mutual certificate authentication on Android client, iOS client, iOS and macOS MDM and AppConnect communications
Selecting the check box is a pre-requisite to enabling the new endpoint.
Certificate Enrollment Setting
Select System-Mutual Auth CE from the drop-down.
Enable new OAuth Endpoint with Mutual certificate Authentication
Select this to enable the new endpoint. If this field is greyed out, it means you did not meet the pre-requisite requirements of enabling mutual certificate authentication and migrating all client devices. See Before you begin.
Disable legacy OAuth Endpoint
This should only be done after the client devices have been updated to Ivanti [email protected] for Android version X and Ivanti [email protected] for iOS version X.
- When selecting the Disable legacy OAuth Endpoint box, a confirmation displays. Click Disable.
- A second confirmation dialog box displays, click Disable.
Once disabled, the WatchOS app will no longer work. This setting can be reversed by de-selecting it.
Before disabling the legacy OAuth endpoint, make sure that all devices are migrated to the new endpoint.
-
Click Save.
Handling client identity certificate expiration for Android devices
Ivanti [email protected] for Android handles the expiration of the client identity certificate used for mutual authentication between Ivanti [email protected] for Android and Ivanti EPMM. In the Admin Portal, on the sync policy for the device, specify a renewal window for the certificate. The renewal window is a number of days prior to the certificate expiration. When Ivanti [email protected] determines the renewal window has begun, it requests a new certificate from Ivanti EPMM.
- If Ivanti [email protected] is out of contact with Ivanti EPMM during the renewal window, but is in contact again within 30 days after the expiration, Ivanti [email protected] requests a new certificate from Ivanti EPMM.
- If Ivanti [email protected] is not in contact with Ivanti EPMM either during the renewal window or within 30 days after the expiration, the device will be retired and will need to re-register with Ivanti EPMM.
- Ivanti [email protected] versions prior to 10.1 do not support certificate expiration. When the certificate expires, the device user must re-register Ivanti [email protected] .
Procedure
- In the Admin Portal, go to Policies & Configs > Policies.
- Select the appropriate sync policy.
-
For Mutual Certificate Authentication Renewal Window, enter the number of days prior to the expiration date that you want to allow devices to renew their identity certificate. Enter a value between 1 and 270. A blank value defaults to 270 days.
- Click Save.
- Click OK.
Mutual authentication and [email protected]
Both [email protected] for Android and [email protected] for iOS can use mutual authentication.
[email protected] for iOS uses mutual authentication if you select Certificate Authentication at Apps > [email protected] Settings > App Storefront Authentication. It does not depend on the mutual authentication setting at Settings > System Settings > Security > Certificate Authentication.
However, [email protected] for Android uses mutual authentication only if you do both of the following:
- Select Certificate Authentication at Apps > [email protected] Settings > App Storefront Authentication.
- Enable the mutual authentication setting at Settings > System Settings > Security > Certificate Authentication.
- "Setting up [email protected] for iOS and macOS" in the Ivanti EPMM [email protected] Guide
- "[email protected] in Ivanti [email protected] for Android in the Ivanti EPMM [email protected] Guide
Enabling mutual authentication for Apple and Android devices
The Ivanti EPMM mutual authentication setting enables mutual authentication for:
- Ivanti [email protected] for Android
- [email protected] for Android
- You must also select Certificate Authentication for [email protected] at Apps > [email protected] Settings > App Storefront Authentication.
- The device must be using Ivanti [email protected] 10.2.0.0 for Android or supported newer versions.
- Ivanti [email protected] 9.8 for iOS or supported newer versions.
- iOS MDM
- macOS MDM
Mutual authentication is automatically enabled in the cases described in The mutual authentication setting on Ivanti EPMM.
Important After you enable mutual authentication, you cannot disable it.
Before you begin
-
As discussed in in Mutual authentication client identity certificate, create a SCEP certificate enrollment setting if you do not want to use the default local certificate enrollment setting for mutual authentication. The SCEP setting requires that you enable the following options:
- Decentralized
- Proxy requests through Ivanti EPMM
For details, see Certificate Enrollment settings.
When you enable mutual authentication, change the certificate enrollment selection for mutual authentication before any more devices register. Any devices already registered and using mutual authentication will not be able to check-in with Ivanti EPMM. Those devices will need to re-register with Ivanti EPMM. Note that devices already registered but not using mutual authentication can continue to check-in.
- If you are using iOS devices with the [email protected] web clip using certificate authentication, change the [email protected] Port field in the System Manager in Settings > Port Settings. Ivanti, Inc recommends port 7443. However, you can use any port except the port that the Admin Portal uses, which is either 443 or 8443, which you specify in the MIFS Admin Port field in the System Manager in Settings > Port Settings.
Procedure
- In the Admin Portal, go to Settings > System Settings > Security > Certificate Authentication.
- Select Enable client mutual certification on Android client, iOS client and Apple MDM communication.
- In the Certificate Enrollment Configuration field, most customers use the default selection. Otherwise, select a SCEP certificate enrollment setting.
- Click Save.
- “Setting up [email protected] for iOS and macOS” in the Ivanti EPMM [email protected] Guide
- "Port settings" in the Ivanti EPMM System Manager Guide
- “[email protected] for Android authentication to Ivanti EPMM” in the Ivanti EPMM [email protected] Guide
Enabling TLS inspecting proxy support when using mutual authentication
Contact Ivanti, Inc Professional Services or an Ivanti, Inc certified partner to set up this deployment.
Ivanti EPMM can support a TLS inspecting proxy to handle HTTPS requests from your devices to Ivanti EPMM when using mutual authentication. For example, you can use a TLS offload proxy such as an Apache or F5 server. This proxy is also known as a Trusted Front End. It intercepts and decrypts HTTPS network traffic and when it determines that the final destination is Ivanti EPMM, it re-encrypts and forwards the traffic to Ivanti EPMM. The devices that register to Ivanti EPMM (using port 443) must send HTTPS requests to the TFE rather than to Ivanti EPMM. Also, the TFE must be provisioned with digital certificates that establish an identity chain of trust with a legitimate server verified by a trusted third-party certificate authority.
"Advanced: Trusted Front End" in the Ivanti EPMM System Manager Guide
Migrating Ivanti [email protected] for Android and iOS to use mutual authentication
For devices that register after enabling mutual authentication, Ivanti [email protected] uses port 443 for device check-ins. However, devices that were already registered continue to use port 9997. You can migrate Ivanti [email protected] for Android from using port 9997 without mutual authentication to using port 443 with mutual authentication. The device users do not need to re-register with Ivanti EPMM.
Before you begin
Instruct Android and iOS device users to upgrade to Ivanti [email protected] 10.1 for Android or or Ivanti [email protected] 12.11.10 for iOS or supported newer versions. Prior Ivanti [email protected] releases do not support migration.
Procedure
- In the Admin Portal, go to Policies & Configs > Policies.
- Select the sync policy for the devices that you want to migrate. Select Edit.
- In the Modify Sync Policy dialog box, select Migrate [email protected] Client.
- Click Save.
- Click OK.
On the next device check-in, Ivanti EPMM will send the mutual authentication client identity certificate to the device. In all subsequent device check-ins, the device will use mutual authentication on port 443.
On that first device check-in, the device's client migration status changes to Pending. After Ivanti EPMM has sent the mutual authentication client identity certificate to the device, the client migration status changes to Success. You can search on this value in the Client Migration Status field in Advanced Search on Devices & Users > Devices.