Mutual authentication between devices and Ivanti EPMM

Ivanti EPMM supports mutual authentication, which means that not only must the device trust Ivanti EPMM, but Ivanti EPMM must trust the device. Therefore, with mutual authentication, a registered device can continue to communicate with Ivanti EPMM only if the device provides the right certificate to Ivanti EPMM. Mutually authenticated communication between the device and Ivanti EPMM enhances security.

A device authenticating to Ivanti EPMM with a certificate is also known as certificate-based authentication to Ivanti EPMM.

Benefits of mutual certificate authentication

Without mutual certificate authentication, only the mobile client verifies Ivanti EPMM's certificate. The client is not required to provide its certificate to the server.

With mandatory mutual certificate authentication, Ivanti EPMM demands that the client also provide its certificate. Ivanti EPMM then verifies the certificate provided by the client.

Mutual certificate authentication improves security as it is not easy for an attacker to produce a certificate to impersonate the client.

Ivanti strongly recommends that you enable mutual authentication.

Scenarios that can use mutual authentication

The device can present a client identity certificate to Ivanti EPMM in the following cases:

Table 97.   Mutual authentication usage by platform

Platform

Mutual Authentication usage

iOS

macOS

Android

Windows 10

Device check-in

Mutual authentication is not possible at the time Ivanti [email protected] registers with Ivanti EPMM, because the device receives its identity certificate during the registration process.

Ivanti EPMM port usage with devices, with and without mutual authentication

The following table summarizes Ivanti EPMM port usage for registration and further communication with devices. The port usage for some cases is different depending on whether mutual authentication is enabled.

Table 98.   Ivanti EPMM port usage with devices with and without mutual authentication

 

Without mutual authentication

With mutual authentication

Ivanti [email protected] for iOS

9997

443

Ivanti [email protected] for Android

9997

443

Ivanti [email protected] for macOS

Not applicable.

Ivanti [email protected] for macOS always uses mutual authentication with Ivanti EPMM.

443

iOS and macOS MDM agent provisioning and agent check-in

443

443

Windows 10

Not applicable.

Windows 10 always uses mutual authentication with Ivanti EPMM.

443

Port 9997 is configurable in the System Manager in Settings > Port Settings > Sync TLS Port. However, changing the port is rare.

The mutual authentication setting on Ivanti EPMM

The setting on Ivanti EPMM to enable mutual authentication is in the Admin Portal in Settings > System Settings > Security > Certificate Authentication. Whether the setting is automatically selected on new installations and upgrades is described by the following table.

Table 99.   Setting for mutual authentication on new installs and upgrades

 

Setting to enable mutual authentication

New installations

Not selected. Mutual authentication is not enabled.

Upgrade from a previous version of Ivanti EPMM in which mutual authentication was not enabled.
Or
Upgrade from a version of Ivanti EPMM prior to Ivanti EPMM 9.7.0.0 in which the Android mutual authentication setting was not enabled.

Not selected. Mutual authentication is not enabled.

 

Upgrade from a previous version of Ivanti EPMM in which mutual authentication was enabled.
Or
Upgrade from a version of Ivanti EPMM prior to Ivanti EPMM 9.7.0.0 in which the Android mutual authentication setting was enabled.

Selected. Mutual authentication is enabled.

IMPORTANT: Once mutual authentication is enabled on Ivanti EPMM, it cannot be disabled.

The mutual authentication setting impacts mutual authentication usage only on:

The mutual authentication setting has no impact on mutual authentication usage on:

When devices use mutual authentication

Whether devices use mutual authentication depends on:

  • The device platform
  • Which version of Ivanti EPMM your network is using
  • For Ivanti [email protected] for iOS, the version of Ivanti [email protected]
  • Whether mutual authentication was enabled before upgrade
  • Whether mutual authentication is enabled after upgrade
  • Whether mutual authentication is enabled after a new installation

The following table summarizes when devices use mutual authentication and the port they use in communication with Ivanti EPMM.

Table 100.   Ivanti EPMM mutual authentication (MA) setting impact to device communication

 

New Ivanti EPMM installation

 

or

 

Ivanti EPMM upgrade
in which:

MA setting was NOT enabled before upgrade

New Ivanti EPMM installation in which you enable MA setting after installation.

 

or

 

Ivanti EPMM upgrade in which:

MA setting was NOT enabled before upgrade but you enable it after the upgrade.

Ivanti EPMM upgrade in which:

 

MA setting WAS enabled before upgrade

Mutual authentication setting

Not enabled

Enabled

Enabled

Device client

Android:

Ivanti [email protected]

(all Ivanti [email protected] versions that Ivanti EPMM supports)

Port: 9997

MA: not used

Devices that register after enabling MA:

  • Port: 443
  • MA: used

Devices that were already registered:

  • Port: 9997
  • MA: not used.

Port: 443

MA: used

iOS:

Ivanti [email protected] 9.8 or supported newer versions

Port: 9997

MA: not used

Devices that register after enabling MA:

  • Port: 443
  • MA: used

Devices that were already registered:

  • Port: 9997
  • MA: not used.

Devices that register after enabling MA:

  • Port: 443
  • MA: used

Devices that were already registered:

  • Port: 9997
  • MA: not used.

iOS:

Ivanti [email protected] versions prior to 9.8

Port: 9997

MA: not used

Port: 9997

MA: not used

Port: 9997

MA: not used

iOS:

iOS MDM check-in

Port: 443

MA: not used

Port: 443

MA: used

Port: 443

MA: used.

macOS:

Ivanti [email protected]

Port: 443

MA: used

Port: 443

MA: used

Port: 443

MA: used

macOS

macOS MDM agent check-in

Port: 443

MA: not used

Port: 443

MA: used

Port: 443

MA: used

Windows 10

 

Port: 443

MA: used

Port: 443

MA: used

Port: 443

MA: used

On new Ivanti EPMM installations (not upgrades), if you enable mutual authentication before any devices register, you can disable port 9997 (in the System Manager in Settings > Port Settings > Sync TLS Port) because it is not used. If devices were registered before enabling mutual authentication, disabling the port causes those devices to not be able to check-in.

Mutual authentication identity certificate for Ivanti EPMM

You provide an identity certificate for Ivanti EPMM to use in mutual authentication in the Portal HTTPS certificate. You configure this certificate on the System Manager at Security > Certificate Mgmt. The certificate is the identify certificate and its certificate chain, including the private key, that identifies Ivanti EPMM, allowing the devices to trust Ivanti EPMM. This certificate must be a publicly trusted certificate from a well-known Certificate Authority when using mutual authentication.

Mutual authentication client identity certificate

You enable mutual authentication for iOS and Android devices in the Admin Portal in Settings > System Settings > Security > Certificate Authentication. The certificate enrollment setting specifies how the identity certificate that the device will present to Ivanti EPMM is generated.

By default, the certificate enrollment setting for mutual authentication is generated with Ivanti EPMM as a local Certificate Authority (CA). Most customers use the default selection. However, if necessary due to your security requirements, you can instead specify a SCEP certificate enrollment setting that you create. In that case, see Create the SCEP enrollment certificate

Bridging old and new client mutual authentication CA certificates

For Ivanti EPMM systems prior to 11.5.0.0, updating a Certificate Authority (CA) certificate for client mutual authentication required re-registering all devices currently enrolled under that certification. With Ivanti EPMM 11.5.0.0 and supported newer versions, you can:

  • Upload and select a new client mutual authentication certificate for devices going forward
  • Retire the previous certificate, while still allow existing devices to check in.

Procedure 

  1. From the Admin portal, navigate to Settings > System Settings > Security > Certificate Authentication.

  2. From the Client Mutual Certificate Authentication page, select the Certificate Enrollment Setting where the updated certificate will be in effect.

  3. Click Upload CA Chain and follow the prompts. Once uploaded, the new CA will be in effect for new installations, while the older CA is still accessible to devices with older installations. You can see these older CA certificates in the Previously Trusted Certificates Enrollment Settings table, below the Upload button.

See Mutual authentication between devices and Ivanti EPMM and Handling client identity certificate expiration for iOS devices

Supported custom attributes for mutual authentication certificates

From Ivanti EPMM release 10.8.0.0 through the latest release supported by Ivanti, Inc, Ivanti EPMM supports only the following list of custom attributes in the Subject field for mutual authentication enrollment certificates:

  • $RANDOM_16$
  • $RANDOM_32$
  • $RANDOM_64$
  • $CONFIG_UUID$
  • $TIMESTAMP_MS$

If, after upgrading to release 10.8.0.0 or supported newer versions, the existing selected mutual authentication certificate includes unsupported attributes, Ivanti EPMM will replace them with the value $RANDOM_32$ for new device registrations and for existing device certificate renewals.

The Admin Portal > Settings > System Settings > Client Mutual Certificate Authentication > Certificate Enrollment setting drop-down menu displays only the Simple Certificate Enrollment Protocol (SCEP) configurations with the five supported custom attributes in the Subject field. Configurations with other custom attributes do not display.

New endpoint for mutual certification authentication

Once mutual authentication is enabled on Ivanti EPMM by the administrator, new mutual authentication devices endpoints are available for use by iOS and Android clients. The existing (old) OAuth endpoint is not protected by 2FA or mutual certificate authentication and is vulnerable to password spraying and DOS attacks. There is an option for the administrator to disable the original OAuth endpoint and utilize the new endpoint.

If mutual authentication migration is not enabled, then older client installations will continue to lack mutual authentication functionality.

This feature is applicable on Ivanti [email protected] for Android version 11.1.0.0 and Ivanti [email protected] for iOS version 12.11.10 or supported newer versions.

Below is an example scenario of the old OAuth versus the new endpoint:

Table 101.  Old OAuth vs New endpoint

New endpoint

Old OAuth

Not configured

Enabled (old OAuth endpoint works)
Enabled Enabled (new endpoint works)
Enabled Disabled (new endpoint works)
Disabled

Disabled (Error)

Note the following: You can have mutual certificate authentication on Ivanti [email protected] clients (both iOS and Android) and on the watchOS app, however, it will mean less security. Ivanti, Inc does not recommend putting mutual certificate authentication on the watchOS app.

To implement this setup, two endpoints are required:

  1. A current OAuth endpoint that can be used by watchOS app, an old or updated Ivanti [email protected] for iOS, OR an old or updated Ivanti [email protected] for Android and cURL script.
  2. A new endpoint that will always require mutual certificate authentication.

Before you begin 

  • Administrators should have enabled mutual certificate authentication and have migrated all the devices. Check-ins will occur on port 443 and not sync the TLS port 9997.
  • Clients need to be upgraded to the version that supports the new endpoint.

Procedure 

  1. Go to Settings > System Settings.

  2. In the left navigational pane, click Security > Certificate Authentication.

    The Client Mutual Certification Authentication page displays in the right pane.

  3. Use the below guidelines to complete this form.

    Table 102.  Client Mutual Certification Authentication

    Item

    Description

    Enable client mutual certificate authentication on Android client, iOS client, iOS and macOS MDM and AppConnect communications

    Selecting the check box is a pre-requisite to enabling the new endpoint.

    Certificate Enrollment Setting

    Select System-Mutual Auth CE from the drop-down.

    Enable new OAuth Endpoint with Mutual certificate Authentication

    Select this to enable the new endpoint. If this field is greyed out, it means you did not meet the pre-requisite requirements of enabling mutual certificate authentication and migrating all client devices. See Before you begin.

    Disable legacy OAuth Endpoint

    This should only be done after the client devices have been updated to Ivanti [email protected] for Android version X and Ivanti [email protected] for iOS version X.

    1. When selecting the Disable legacy OAuth Endpoint box, a confirmation displays. Click Disable.
    2. A second confirmation dialog box displays, click Disable.

    Once disabled, the WatchOS app will no longer work. This setting can be reversed by de-selecting it.

    Before disabling the legacy OAuth endpoint, make sure that all devices are migrated to the new endpoint.

  4. Click Save.

Handling client identity certificate expiration for iOS devices

Ivanti [email protected] for iOS handles the expiration of the client identity certificate used for mutual authentication between Ivanti [email protected] for iOS and Ivanti EPMM. In the Admin Portal, on the sync policy for the device, specify a renewal window for the certificate. The renewal window is a number of days prior to the certificate expiration. When Ivanti [email protected] determines the renewal window has begun, it requests a new certificate from Ivanti EPMM.

  • If Ivanti [email protected] is out of contact with Ivanti EPMM during the renewal window, but is in contact again within 30 days after the expiration, Ivanti [email protected] requests a new certificate from Ivanti EPMM.

  • If Ivanti [email protected] is not in contact with Ivanti EPMM either during the renewal window or within 30 days after the expiration, the device will be retired and will need to re-register with Ivanti EPMM.

  • Ivanti [email protected] versions prior to 11.1.0 do not support certificate expiration. When the certificate expires, the device user must re-register Ivanti [email protected] .

Procedure 

  1. In the Admin Portal, go to Policies & Configs > Policies.
  2. Select the appropriate sync policy.
  3. For Mutual Certificate Authentication Renewal Window, enter the number of days prior to the expiration date that you want to allow devices to renew their identity certificate. Enter a value between 1 and 270. A blank value defaults to 270 days.

  4. Click Save.
  5. Click OK.

Mutual authentication and [email protected]

Both [email protected] for Android and [email protected] for iOS can use mutual authentication.

[email protected] for iOS uses mutual authentication if you select Certificate Authentication at Apps > [email protected] Settings > App Storefront Authentication. It does not depend on the mutual authentication setting at Settings > System Settings > Security > Certificate Authentication.

However, [email protected] for Android uses mutual authentication only if you do both of the following:

  • Select Certificate Authentication at Apps > [email protected] Settings > App Storefront Authentication.
  • Enable the mutual authentication setting at Settings > System Settings > Security > Certificate Authentication.

Enabling mutual authentication for Apple and Android devices

The Ivanti EPMM mutual authentication setting enables mutual authentication for:

Mutual authentication is automatically enabled in the cases described in The mutual authentication setting on Ivanti EPMM.

Important After you enable mutual authentication, you cannot disable it.

Before you begin 

  1. As discussed in in Mutual authentication client identity certificate, create a SCEP certificate enrollment setting if you do not want to use the default local certificate enrollment setting for mutual authentication. The SCEP setting requires that you enable the following options:

    • Decentralized
    • Proxy requests through Ivanti EPMM

    For details, see Certificate Enrollment settings.

    When you enable mutual authentication, change the certificate enrollment selection for mutual authentication before any more devices register. Any devices already registered and using mutual authentication will not be able to check-in with Ivanti EPMM. Those devices will need to re-register with Ivanti EPMM. Note that devices already registered but not using mutual authentication can continue to check-in.

  2. If you are using iOS devices with the [email protected] web clip using certificate authentication, change the [email protected] Port field in the System Manager in Settings > Port Settings. Ivanti, Inc recommends port 7443. However, you can use any port except the port that the Admin Portal uses, which is either 443 or 8443, which you specify in the MIFS Admin Port field in the System Manager in Settings > Port Settings.

Procedure 

  1. In the Admin Portal, go to Settings > System Settings > Security > Certificate Authentication.
  2. Select Enable client mutual certification on Android client, iOS client and Apple MDM communication.
  3. In the Certificate Enrollment Configuration field, most customers use the default selection. Otherwise, select a SCEP certificate enrollment setting.
  4. Click Save.

Enabling TLS inspecting proxy support when using mutual authentication

Contact Ivanti, Inc Professional Services or an Ivanti, Inc certified partner to set up this deployment.

Ivanti EPMM can support a TLS inspecting proxy to handle HTTPS requests from your devices to Ivanti EPMM when using mutual authentication. For example, you can use a TLS offload proxy such as an Apache or F5 server. This proxy is also known as a Trusted Front End. It intercepts and decrypts HTTPS network traffic and when it determines that the final destination is Ivanti EPMM, it re-encrypts and forwards the traffic to Ivanti EPMM. The devices that register to Ivanti EPMM (using port 443) must send HTTPS requests to the TFE rather than to Ivanti EPMM. Also, the TFE must be provisioned with digital certificates that establish an identity chain of trust with a legitimate server verified by a trusted third-party certificate authority.

"Advanced: Trusted Front End" in the Ivanti EPMM System Manager Guide

Migrating Ivanti [email protected] for Android and iOS to use mutual authentication

For devices that register after enabling mutual authentication, Ivanti [email protected] uses port 443 for device check-ins. However, devices that were already registered continue to use port 9997. You can migrate Ivanti [email protected] for Android from using port 9997 without mutual authentication to using port 443 with mutual authentication. The device users do not need to re-register with Ivanti EPMM.

Before you begin 

Instruct Android and iOS device users to upgrade to Ivanti [email protected] 10.1 for Android or or Ivanti [email protected] 12.11.10 for iOS or supported newer versions. Prior Ivanti [email protected] releases do not support migration.

Procedure 

  1. In the Admin Portal, go to Policies & Configs > Policies.
  2. Select the sync policy for the devices that you want to migrate. Select Edit.
  3. In the Modify Sync Policy dialog box, select Migrate [email protected] Client.
  4. Click Save.
  5. Click OK.

On the next device check-in, Ivanti EPMM will send the mutual authentication client identity certificate to the device. In all subsequent device check-ins, the device will use mutual authentication on port 443.

On that first device check-in, the device's client migration status changes to Pending. After Ivanti EPMM has sent the mutual authentication client identity certificate to the device, the client migration status changes to Success. You can search on this value in the Client Migration Status field in Advanced Search on Devices & Users > Devices.

When devices use mutual authentication