Configuring certificate pinning for registered devices

Implementing TLS server authentication certificate pinning in the client ensures that the application's traffic is protected against rogue "trusted" certificates. These are fake certificates that may have been maliciously installed on the client in an effort to impersonate the Ivanti EPMM server and are commonly referred to as Man-in-the-Middle attacks. Pinning a certificate is one method of preempting this type of attack and ensuring the client connects to the true Ivanti EPMM server.

Pinning occurs when, during the TLS handshake, a client verifies the certificate sent by the server against an authoritative statement residing on the client and containing the certificates the client is expecting from the server. Certificate pinning protects against Man-in-the-middle attacks that compromise confidential data.

Example case study: Man-in-the-middle attacks would allow the attacker to impersonate your Ivanti EPMM server and send commands to the device. This could result in device compromise and confidential data leakage.

Ivanti recommends creating a Certificate Pinning policy so that Ivanti Mobile@Work will only trust legitimate Ivanti EPMM TLS server certificates in the certificate pinning policy. The Certificate Pinning policy works on Ivanti Mobile@Work 11.3.0.1 for Android and supported newer versions. Ivanti Mobile@Work 12.11.31 for iOS and supported newer versions also works with Certificate Pinning.

Implementing this feature is applicable for steady state assurance that the client is connecting to an authentic Ivanti EPMM that presents a TLS server certificate that is under your control.

For daily use cases such as check-in, Ivanti EPMM implements the TLS server authentication certificate pinning policy in Ivanti Mobile@Work . Ivanti Mobile@Work will only trust Ivanti EPMM if it presents one of the pinned certificates in its pinning configuration. Once a device is registered to Ivanti EPMM, Ivanti Mobile@Work will hold the pinned certificates and it will fail if presented with an unexpected certificate.

Steady state pinning must be used in conjunction with the mutual authentication client identity feature. Pinning is only implemented on port 443, not on port 9997. As a result, pinning only has effect when mutual authentication is active and devices are accessing port 443 exclusively. For more information, see Mutual authentication between devices and Ivanti EPMM.

A certificate pinning policy supports multiple entries to enable a smooth transition when the Ivanti EPMM server's certificate is about to expire. Administrators can include the renewal certificate before it is active on the server and keep the expiring certificate in this policy for seamless transition to the renewed certificate.

Procedure 

  1. In Ivanti EPMM, go to Policies & Configs > Configurations.
  2. Select Add New > Certificates.

    The New Certificate Setting dialog box opens.

  3. Enter the Name, Description and upload the certificate file that is referenced to by the Pinned Server Certificate Policy.
  4. Select Save.

    Administrators can do the above steps multiple times if the current certificate is about to expire and already have the new one.

  5. Go to Policies & Configs > Policies.

  6. Select Add New > Pinned Server Certificate Policy.

    The Add Pinned Server Certificate Policy dialog box opens.

  7. Use the information in the Pinned Server Certificate Policy Entries table below to enter your settings.

  8. Select Save

Table 1. Pinned Server Certificate Policy Entries

Item

Description

Name

Enter a name for the policy.

Status

Select the relevant radio button to indicate whether the policy is Active or Inactive.

Only one active policy can be applied to a device.

Priority

Specifies the priority of this policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is available.

Select Higher than or Lower than, then select an existing policy from the drop-down list.

For example, to give Policy A higher priority than Policy B, you would select “Higher than” and “Policy B”.

Description

Enter an explanation of the purpose of this policy.

Trusted Certificates

  1. In Trusted Certificates, select the Add+ button.

  2. A new drop-down field displays; select an option based on the new certificate you just created.

Administrators can delete unwanted certificates by selecting the x in the row.

The new Pinned Server Certificate policy displays in the Policies page.

For information about certificate pinning for SCEP enrollment configurations, see "Configuring certificate pinning for registered devices" in the Security Settings > Certificate Mgmt section of the Ivanti EPMM System Manager Guide.