Configuring OpenTrust CA

Ivanti EPMM supports integration with the OpenTrust Mobile Provisioning Server (MPS). This integration enables OpenTrust to perform the proxy tasks that would normally be performed by Ivanti EPMM. The following describes the configuration in Ivanti EPMM.

Note the following:

  • This integration does not support the pushing Certificate Authorities Bundles to devices, which is offered by OpenTrust.

  • Ivanti EPMM supports one certificate per OpenTrust configuration. OpenTrust supports creating profiles having multiple credentials (called application in the OpenTrust context).

Before you begin

The information in this section assumes the following:

  • You have the URL for your OpenTrust cloud instance.
  • You have the client-side JSON connector identity certificate Ivanti EPMM will use to authenticate to the MPS.
  • You have implemented a centralized OpenTrust cloud.
  • You have created a Mobile Management Profile on MPS containing a single centralized credential.


  1. Go to Policies & Configs > Configurations and click Add New > Certificate Enrollment > OpenTrust.
  2. Use the following guidelines to specify the settings:

    Although optional fields are not required by OpenTrust, they are still used if present. Therefore, you must still specify the appropriate variable for each optional field. For example, the phone number might be an optional field because the tablets in your organization do not have phone numbers. However MPS might still use this information to request a certificate from the PKI server if it is present.

    • Name: Enter brief text that identifies this group of settings.
    • Description: Enter additional text that clarifies the purpose of this group.
    • Store keys on Ivanti EPMM: Specifies whether Ivanti EPMM stores the private key sent to each device. When storing key is enabled, private keys are encrypted and stored on the local Ivanti EPMM.
    • If you select this option after devices have been provisioned, certificates will be re-provisioned for all impacted devices
    • User Certificate: Specifies that the certificate is distributed to multiple devices assigned to a single user.
    • Device Certificate: Specifies that the certificate is bound to the given device.
    • API URL: Enter the URL for the OpenTrust server.
    • Certificate 1: This is the name of the uploaded certificate.
    • Password 1 (Optional): This password is optional.
    • Add Certificate: Click this link to add one or more certificates, as necessary.
    • Profile: This is the MPS Mobile Profile to use for the integration. If you do not see an expected profile, then it most likely contains multiple credentials, a configuration that Ivanti EPMM does not currently support.
    • Profile Description: This is pre-populated based on the profile you select.
    • Application Description: This is populated automatically with the corresponding OpenTrust content associated with the selected profile.
    • MSSID: You must use the profile for which Microsoft Security Identifier support has been added by OpenTrust. Use $USER_SID$ value from the drop-down list to generate a certificate with the SID extension, provided the LDAP user has the SID value.
  3. (Optional) Click Issue Test Certificate to verify the configuration by generating a test certificate to ensure there are no errors. Although this step is optional, it is recommended. A real certificate is not generated.
  4. Click Save.

If values that you enter in fields result in errors, you cannot save the configuration. If values that you enter result in warnings, you can save the configuration after confirming the warning messages. To see configuration errors, go to Services > Overview.

Revoking the certificate

You can revoke a OpenTrust certificate.

Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). The certificate is also removed from the OpenTrust manager. When a device authenticates with Ivanti EPMM, the system first checks the CRL to verify that the certificate is not on the list. If the certificate is on the list, authentication fails.


  1. Navigate to Logs > Certificate Management.
  2. Select the certificate that you want to revoke.
  3. Click Actions > Revoke.