Mutual authentication between devices and Ivanti EPMM

Ivanti EPMM supports mutual authentication (MA), which means that not only must the device trust Ivanti EPMM, but Ivanti EPMM must trust the device. Therefore, with mutual authentication, a registered device can continue to communicate with Ivanti EPMM only if the device provides the right certificate to Ivanti EPMM. Mutually authenticated communication between the device and Ivanti EPMM enhances security.

A device authenticating to Ivanti EPMM with a certificate is also known as certificate-based authentication to Ivanti EPMM.

Benefits of mutual certificate authentication

Without mutual certificate authentication, only the mobile client verifies Ivanti EPMM's certificate. The client is not required to provide its certificate to the server.

With mandatory mutual certificate authentication, Ivanti EPMM demands that the client also provide its certificate. Ivanti EPMM then verifies the certificate provided by the client.

Mutual certificate authentication improves security as it is not easy for an attacker to produce a certificate to impersonate the client.

Ivanti strongly recommends that you enable mutual authentication.

Scenarios that can use mutual authentication

The device can present a client identity certificate to Ivanti EPMM in the following cases:

Table 80.   Mutual authentication usage by platform

Platform

Mutual Authentication usage

iOS

  • Ivanti Mobile@Work for iOS device check-in
  • AppConnect for iOS check-in
  • iOS MDM device check-in
  • Apps@Work for iOS communication
  • Certificate pinning policy

macOS

  • Ivanti Mobile@Work for macOS device check-in
  • macOS MDM device check-in

Android

  • Ivanti Mobile@Work for Android device check-in, which includes AppConnect check-in
  • Apps@Work for Android communication

Windows 10

Device check-in

Mutual authentication is not possible at the time Ivanti Mobile@Work registers with Ivanti EPMM, because the device receives its identity certificate during the registration process.

Ivanti EPMM port usage with devices, with and without mutual authentication

The following table summarizes Ivanti EPMM port usage for registration and further communication with devices. The port usage for some cases is different depending on whether mutual authentication is enabled.

Table 81.   Ivanti EPMM port usage with devices with and without mutual authentication

 

Without mutual authentication

With mutual authentication

Ivanti Mobile@Work for iOS

9997

443

Ivanti Mobile@Work for Android

9997

443

Ivanti Mobile@Work for macOS

Not applicable.

Ivanti Mobile@Work for macOS always uses mutual authentication with Ivanti EPMM.

443

iOS and macOS MDM agent provisioning and agent check-in

443

443

Windows 10

Not applicable.

Windows 10 always uses mutual authentication with Ivanti EPMM.

443

Port 9997 is configurable in the System Manager in Settings > Port Settings > Sync TLS Port. However, changing the port is rare.

The mutual authentication setting on Ivanti EPMM

The setting on Ivanti EPMM to enable mutual authentication (MA) is in the Admin Portal in Settings > System Settings > Security > Certificate Authentication. Whether the setting is automatically selected on new installations and upgrades is described by the following table.

Table 82.   Setting for mutual authentication on new installs and upgrades

 

Setting to enable mutual authentication

New installations

Enabled by default.

Upgrade from a previous version of Ivanti EPMM in which mutual authentication was not enabled.

Not selected. Mutual authentication is not enabled.

 

Upgrade from a previous version of Ivanti EPMM in which mutual authentication was enabled.

Selected. Mutual authentication is enabled.

IMPORTANT: Once mutual authentication is enabled on Ivanti EPMM, it cannot be disabled.

The mutual authentication setting impacts mutual authentication usage only on:

  • Ivanti Mobile@Work for Android and iOS
  • iOS MDM
  • macOS MDM

The mutual authentication setting has no impact on mutual authentication usage on:

  • Versions of Ivanti Mobile@Work for iOS prior to Ivanti Mobile@Work 9.8. These versions of Ivanti Mobile@Work for iOS never use mutual authentication.
  • Apps@Work for iOS. Apps@Work for iOS always uses mutual authentication from Ivanti EPMM 11.3.0.1 and newer versions.
  • Ivanti Mobile@Work for macOS. Ivanti Mobile@Work for macOS always uses mutual authentication.
  • Windows 10 devices. Windows 10 devices always uses mutual authentication.

The following table summarizes when devices use mutual authentication and the port they use in communication with Ivanti EPMM.

Table 83.   Ivanti EPMM mutual authentication (MA) setting impact to device communication

 

Ivanti EPMM upgrade
in which:

MA setting was NOT enabled before upgrade

Ivanti EPMM upgrade in which MA setting WAS enabled

New Ivanti EPMM installation

Mutual authentication setting

Not enabled

Enabled

Enabled

Device client

Android:

Ivanti Mobile@Work

(all Ivanti Mobile@Work versions that Ivanti EPMM supports)

Port: 9997

MA: not used

Devices that register after enabling MA:

  • Port: 443
  • MA: used

Devices that were already registered:

Once the device has checked in with Ivanti EPMM, the device will transition from non-mutual to mutual authentication.

  • Before the transition, use port 9997.
  • After the transition, use port 443.

Port: 443

MA: used

iOS:

Ivanti Mobile@Work 9.8 or supported newer versions

Port: 9997

MA: not used

Devices that register after enabling MA:

  • Port: 443
  • MA: used

Devices that were already registered:

Once the device has checked in with Ivanti EPMM, the device will transition from non-mutual to mutual authentication.

  • Before the transition, use port 9997.
  • After the transition, use port 443.

Port: 443

MA: used

iOS:

iOS MDM check-in

Port: 443

MA: not used

Port: 443

MA: used

Port: 443

MA: used.

macOS:

Ivanti Mobile@Work

Port: 443

MA: used

Port: 443

MA: used

Port: 443

MA: used

macOS

macOS MDM agent check-in

Port: 443

MA: not used

Port: 443

MA: used

Port: 443

MA: used

Windows 10

 

Port: 443

MA: used

Port: 443

MA: used

Port: 443

MA: used

Disabling Sync TLS port 9997

  • For new installations: You can directly disable the Sync TLS port.

  • For upgrades: The client mutual authentication settings page displays the number of pending devices that are due to enable mutual authentication. If all devices are using mutual authentication, you can then disable the Sync TLS port in the System Manager in Settings > Port Settings > Sync TLS Port.

Mutual authentication identity certificate for Ivanti EPMM

You provide an identity certificate for Ivanti EPMM to use in mutual authentication in the Portal HTTPS certificate. You configure this certificate on the System Manager at Security > Certificate Mgmt.The certificate is the identify certificate and its certificate chain, including the private key, that identifies Ivanti EPMM, allowing the devices to trust Ivanti EPMM. This certificate must be a publicly trusted certificate from a well-known Certificate Authority when using mutual authentication.

Mutual authentication client identity certificate

You enable mutual authentication for iOS and Android devices in the Admin Portal in Settings > System Settings > Security > Certificate Authentication. The certificate enrollment setting specifies how the identity certificate that the device will present to Ivanti EPMM is generated.

By default, the certificate enrollment setting for mutual authentication is generated with Ivanti EPMM as a local Certificate Authority (CA). Most customers use the default selection. However, if necessary due to your security requirements, you can instead specify a SCEP certificate enrollment setting that you create. In that case, see Create the SCEP enrollment certificate

Bridging old and new client mutual authentication CA certificates

For Ivanti EPMM systems prior to 11.5.0.0, updating a Certificate Authority (CA) certificate for client mutual authentication required re-registering all devices currently enrolled under that certification. With Ivanti EPMM 11.5.0.0 and supported newer versions, you can:

  • Upload and select a new client mutual authentication certificate for devices going forward
  • Retire the previous certificate, while still allow existing devices to check in.

Procedure 

  1. From the Admin portal, navigate to Settings > System Settings > Security > Certificate Authentication.

  2. From the Client Mutual Certificate Authentication page, select the Certificate Enrollment Setting where the updated certificate will be in effect.

  3. Click Upload CA Chain and follow the prompts. Once uploaded, the new CA will be in effect for new installations, while the older CA is still accessible to devices with older installations. You can see these older CA certificates in the Previously Trusted Certificates Enrollment Settings table, below the Upload button.

See Handling client identity certificate expiration for Android devices and Mutual authentication between devices and Ivanti EPMM

Supported custom attributes for mutual authentication certificates

From Ivanti EPMM release 10.8.0.0 through the latest release supported by Ivanti, Inc, Ivanti EPMM supports only the following list of custom attributes in the Subject field for mutual authentication enrollment certificates:

  • $RANDOM_16$
  • $RANDOM_32$
  • $RANDOM_64$
  • $CONFIG_UUID$
  • $TIMESTAMP_MS$

If, after upgrading to release 10.8.0.0 or supported newer versions, the existing selected mutual authentication certificate includes unsupported attributes, Ivanti EPMM will replace them with the value $RANDOM_32$ for new device registrations and for existing device certificate renewals.

The Admin Portal > Settings > System Settings > Client Mutual Certificate Authentication > Certificate Enrollment setting drop-down menu displays only the Simple Certificate Enrollment Protocol (SCEP) configurations with the five supported custom attributes in the Subject field. Configurations with other custom attributes do not display.

New endpoint for mutual certification authentication

Once mutual authentication is enabled on Ivanti EPMM by the administrator, new mutual authentication devices endpoints are available for use by iOS and Android clients. The existing (old) OAuth endpoint is not protected by 2FA or mutual certificate authentication and is vulnerable to password spraying and DOS attacks. There is an option for the administrator to disable the original OAuth endpoint and utilize the new endpoint.

Below is an example scenario of the old OAuth versus the new endpoint:

Table 84.  Old OAuth vs New endpoint

New endpoint

Old OAuth

Not configured

Enabled (old OAuth endpoint works)
Enabled Enabled (new endpoint works)
Enabled Disabled (new endpoint works)
Disabled

Disabled (Error)

Note the following: You can have mutual certificate authentication on Ivanti Mobile@Work clients (both iOS and Android) and on the watchOS app, however, it will mean less security. Ivanti, Inc does not recommend putting mutual certificate authentication on the watchOS app.

To implement this setup, two endpoints are required:

  1. A current OAuth endpoint that can be used by watchOS app, an old or updated Ivanti Mobile@Work for iOS, OR an old or updated Ivanti Mobile@Work for Android and cURL script.
  2. A new endpoint that will always require mutual certificate authentication.

Before you begin 

Administrators should have enabled mutual certificate authentication and have migrated all the devices. Check-ins will occur on port 443 and not sync the TLS port 9997.

Procedure 

  1. Go to Settings > System Settings.

  2. In the left navigational pane, click Security > Certificate Authentication.

    The Client Mutual Certification Authentication page displays in the right pane.

  3. Use the below guidelines to complete this form.

    Table 85.  Client Mutual Certification Authentication

    Item

    Description

    Enable client mutual certificate authentication on Android client, iOS client, iOS and macOS MDM and AppConnect communications

    Selecting the check box is a pre-requisite to enabling the new endpoint.

    Enable new OAuth Endpoint with Mutual certificate Authentication

    Select this to enable the new endpoint. If this field is greyed out, it means you did not meet the pre-requisite requirements of enabling mutual certificate authentication and migrating all client devices. See Before you begin.

    Disable legacy OAuth Endpoint

    1. When selecting the Disable legacy OAuth Endpoint box, a confirmation displays. Click Disable.
    2. A second confirmation dialog box displays, click Disable.

    Once disabled, the WatchOS app will no longer work. This setting can be reversed by de-selecting it.

    Before disabling the legacy OAuth endpoint, make sure that all devices are migrated to the new endpoint.

  4. Click Save.

Handling client identity certificate expiration for Android devices

Ivanti Mobile@Work for Android handles the expiration of the client identity certificate used for mutual authentication between Ivanti Mobile@Work for Android and Ivanti EPMM. In the Admin Portal, on the sync policy for the device, specify a renewal window for the certificate. The renewal window is a number of days prior to the certificate expiration. When Ivanti Mobile@Work determines the renewal window has begun, it requests a new certificate from Ivanti EPMM.

  • If Ivanti Mobile@Work is out of contact with Ivanti EPMM during the renewal window, but is in contact again within 30 days after the expiration, Ivanti Mobile@Work requests a new certificate from Ivanti EPMM.
  • If Ivanti Mobile@Work is not in contact with Ivanti EPMM either during the renewal window or within 30 days after the expiration, the device will be retired and will need to re-register with Ivanti EPMM.
  • Ivanti Mobile@Work versions prior to 10.1 do not support certificate expiration. When the certificate expires, the device user must re-register Ivanti Mobile@Work .

Procedure 

  1. In the Admin Portal, go to Policies & Configs > Policies.
  2. Select the appropriate sync policy.
  3. For Mutual Certificate Authentication Renewal Window, enter the number of days prior to the expiration date that you want to allow devices to renew their identity certificate. Enter a value between 1 and 270. A blank value defaults to 270 days.

  4. Click Save.
  5. Click OK.

Mutual authentication and Apps@Work

Both Apps@Work for Android and Apps@Work for iOS can use mutual authentication.

Apps@Work for iOS uses mutual authentication by default. It does not depend on the mutual authentication setting at Settings > System Settings > Security > Certificate Authentication.

  • "Setting up Apps@Work for iOS and macOS" in the Ivanti EPMM Apps@Work Guide
  • "Apps@Work in Ivanti Mobile@Work for Android in the Ivanti EPMM Apps@Work Guide

Enabling mutual authentication for Apple and Android devices

The Ivanti EPMM mutual authentication setting enables mutual authentication for:

  • Ivanti Mobile@Work for Android
  • Ivanti Mobile@Work for iOS.
  • iOS MDM
  • macOS MDM

Mutual authentication is automatically enabled in the cases described in The mutual authentication setting on Ivanti EPMM.

Important After you enable mutual authentication, you cannot disable it.

Before you begin 

  1. As discussed in in Mutual authentication client identity certificate, create a SCEP certificate enrollment setting if you do not want to use the default local certificate enrollment setting for mutual authentication. The SCEP setting requires that you enable the following options:

    • Decentralized
    • Proxy requests through Ivanti EPMM

    For details, see Certificate Enrollment settings.

    When you enable mutual authentication, change the certificate enrollment selection for mutual authentication before any more devices register. Any devices already registered and using mutual authentication will not be able to check-in with Ivanti EPMM. Those devices will need to re-register with Ivanti EPMM. Note that devices already registered but not using mutual authentication can continue to check-in.

  2. If you are using iOS devices with the Apps@Work web clip using certificate authentication, change the Apps@Work Port field in the System Manager in Settings > Port Settings. Ivanti, Inc recommends port 7443. However, you can use any port except 443 or 8443 which are reserved for other EPMM services.

Procedure 

  1. In the Admin Portal, go to Settings > System Settings > Security > Certificate Authentication.
  2. Select Enable client mutual certification on Android client, iOS client and Apple MDM communication.
  3. In the Certificate Enrollment Configuration field, most customers use the default selection. Otherwise, select a SCEP certificate enrollment setting.
  4. Click Save.
  • “Setting up Apps@Work for iOS and macOS” in the Ivanti EPMM Apps@Work Guide
  • "Port settings" in the Ivanti EPMM System Manager Guide
  • “Apps@Work for Android authentication to Ivanti EPMM” in the Ivanti EPMM Apps@Work Guide

Enabling TLS inspecting proxy support when using mutual authentication

Contact Ivanti, Inc Professional Services or an Ivanti, Inc certified partner to set up this deployment.

Ivanti EPMM can support a TLS inspecting proxy to handle HTTPS requests from your devices to Ivanti EPMM when using mutual authentication. For example, you can use a TLS offload proxy such as an Apache or F5 server. This proxy is also known as a Trusted Front End. It intercepts and decrypts HTTPS network traffic and when it determines that the final destination is Ivanti EPMM, it re-encrypts and forwards the traffic to Ivanti EPMM. The devices that register to Ivanti EPMM (using port 443) must send HTTPS requests to the TFE rather than to Ivanti EPMM. Also, the TFE must be provisioned with digital certificates that establish an identity chain of trust with a legitimate server verified by a trusted third-party certificate authority.

"Advanced: Trusted Front End" in the Ivanti EPMM System Manager Guide

Migrating Ivanti Mobile@Work for Android and iOS to use mutual authentication

For devices that register after enabling mutual authentication, Ivanti Mobile@Work uses port 443 for device check-ins. However, devices that were already registered continue to use port 9997. Ivanti facilitates the ability to migrate Ivanti M@W from using port 9997 without mutual authentication to using port 443 with mutual authentication. The device users do not need to re-register with Ivanti EPMM.

Before you begin 

Instruct Android and iOS device users to upgrade to Ivanti Mobile@Work 10.1 for Android or or Ivanti Mobile@Work 12.11.10 for iOS or supported newer versions. Prior Ivanti Mobile@Work releases do not support migration.

Procedure 

  1. In the Admin Portal, go to Policies & Configs > Policies.
  2. Select the sync policy for the devices that you want to migrate. Select Edit.
  3. In the Modify Sync Policy dialog box, make sure that Migrate Mobile@Work Client is enabled.
  4. Click Save.
  5. Click OK.

On the next device check-in, Ivanti EPMM will send the mutual authentication client identity certificate to the device. In all subsequent device check-ins, the device will use mutual authentication on port 443.

On that first device check-in, the device's client migration status changes to Pending. After Ivanti EPMM has sent the mutual authentication client identity certificate to the device, the client migration status changes to Success. You can search on this value in the Client Migration Status field in Advanced Search on Devices & Users > Devices.

Mutual authentication between devices and Ivanti EPMM