Identity Certificate

This section contains the following topics:

An identity certificate configuration defines a certificate authentication mechanism for mobile devices. Identity certificates are X.509 certificates (.p12 or .pfx). Also, the identity certificates can be generated dynamically using the Certificate Authority as a source. Before beginning, you should already know how you plan to distribute certificates to your mobile devices. You should also have configured any necessary certificate authority.

Starting from release 91, the Device Identity certificate for Apple devices is automatically renewed within 30 days of expiry. iOS devices receive renewed MDM certificates from Ivanti Neurons for MDM as part of the regular device check-in flow. However, iOS devices need to be re-enrolled with Ivanti Neurons for MDM when they are offline long enough for the MDM certificate to expire before a check-in that would have renewed the certificate before expiration.

  • SHA-1 certificates are deprecated while creating the identity certificates. You can choose other algorithms. While updating the certificates, if the older certificates use SHA-1, the same SHA-1 algorithm can be used. If the older certificates use an algorithm above SHA-1, then switching to SHA-1 is not allowed.
  • After configuring an identity certificate, you can click Test Configuration and continue to issue and verify the validity of the test certificate. An error may display by performing this test for a new or an existing dynamically generated identity certificate configuration if the subject name is the same as the local certificate authority. When this error message is displayed you should modify the identity certificate subject name which should be different from the local certificate authority subject name. For existing identity certificate configurations that are modified with the subject name, the certificates are re-issued and the configurations are re-pushed.

    If you have setup the option to create a configuration without issuing test certificate for Dynamically Generated certificate distribution, click Continue.
  • While editing an existing identity certificate configuration (which is in turn used in a Sentry profile for Tunnel or AppTunnel), from the Actions menu you can select the Clear cached certificates and issue new ones with recent updates option if required. Non-cached certificates will be re-issued automatically.
  • When Identity certificates are assigned to Android apps, the user's app get Identity certificates without prompting the users to grant the permission (rather than app) to use the certificate. It includes all apps like Email+, Gmail, etc.
  • Email+ can be configured with a user provided identity certificate and pushed and assigned as an app configuration to Android enterprise devices. It is applicable only to Work Profile on Company Owned Device and Device Owner modes.

Identity certificate settings

Setting

What To Do

Name

Enter a name that identifies this configuration.

Description

Enter a description that clarifies the purpose of this configuration.

Certificate Distribution

Select the type of certificate distribution to set up:

  • Single File: Upload an existing certificate for distribution to devices.
  • Dynamically Generated: Create certificates on request using a local or external certificate authority.
  • User provided: Create labels for the type of certificates to be uploaded by the user. When created, the user will be able to see the created labels (options) in  the self-service portal, and upload certificates corresponding to these labels.
  • Derived Credential : Specify one of the following usages for the derived credential:
    • Authentication
    • Encryption
    • Signing
    • Decryption
  •  SCEP Config: Specify how to request a certificate from a SCEP server. Select one of the following configurations:
    • Apple Config
    • Windows Config

Your selection determines which options display in the rest of the form.

Allow All Apps to access Private Key (macOS 10.10+)

Applicable to: Single file, Dynamically Generated, User Provided, and SCEP Apple Config identity certificates.

(Optional) For PKCS#12 certificates, enable the Allow All Apps to access Private Key option to allow all apps access to the private key.

For example, this key can be used in cases where a password is requested from the user to allow access to a certificate used for VPN.

Single File

Identity Certificate data

Drag the certificate file to the dotted box, or click Choose File to select it from your file system.

Password

Enter the password protecting the PKCS#12 certificate file. This password is used for installation without prompting.

Dynamically Generated

Source

Select the local certificate authority from the drop-down. You should have already created this CA under Admin > Certificate Management.

Create configuration without issuing test certificate

Select the check box to create a configuration without issuing test certificate.

Windows only - Target Certificate Store

Admins can now select the Target Certificate Store on Windows devices.

User Provided

Certificate Display Name

Enter the name of the certificate. This certificate name is unique for a tenant and the user will be able to see the name in the self-service portal while uploading the certificate.

Delete the Private Key

Select this option to delete the private key of the certificate after n (1-30) days.

You can also use the APIs provided by Ivanti Neurons for MDM for these operations. Refer to the Ivanti Neurons for MDM API Guide for more information about the APIs.

If you try to use this certificate in any configuration (for example, to authenticate an application or to push a WiFi or a VPN configuration) after its private key has been deleted, the task will fail. Ensure that the task is performed before the private key is deleted.

Delete the Private Key after Days Select the number of days (1-30) after which private keys of the certificate are cleared. Default value is 2 days.
Derived Credential
Derived Credential Usage

Select any of the following options:

  • Authentication - To specify that the derived credential is used for authentication.
  • Encryption - To specify that the usage of the derived credential is for encryption.
  • Signing - To specify that the derived credential is used for signing.
  • Decryption - To specify that the usage of the derived credential is for decryption.
Brand

Select the Derived Credential Provider that you use from the following options:

  • Entrust
  • Intercede
  • Purebred

To add custom derived credential providers that you use, see Derived Credential Providers.

ACME Config - Applicable only to iOS/iPadOS16+

Client Identifier

A unique string identifying a specific device

Directory URL

(Required) The directory URL of the ACME server. The URL must use the https scheme.

Extended Key Usage

The value is an array of strings. Each string is an OID in dotted notation. For instance, [”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”] indicates client authentication and email protection.

The device requests this field for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.

Key Size

(Required) The valid values for KeySize depend on the values of KeyType and HardwareBound. See those keys for specific requirements.

Key Type

(Required) The type of key pair to generate.

Subject

(Required) The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar corresponds to:

[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ]

Dotted numbers can represent OIDs , with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN).

Type: [string]

Subject Alternate Name

The Subject Alt Name that the device requests for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.

Key Usage

This value is a bit field.

Bit 0x01 indicates digital signature.

Bit 0x10 indicates key agreement.

The device requests this key for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.

Hardware Bound

If the Hardware bound is set to true the private key is bound to the device, and only then the Key Type must be ECSECPrimeRandom and Key Size must be 256 or 384.

Attest

If true, the device provides attestations describing the device and the generated key to the ACME server. When Attest is true, Hardware Bound must also be true.

SCEP Config - Apple Config

Identity Certificate (SCEP)

Select to specify a SCEP server.

Local Certificate Authority

Select to specify a local certificate authority that you have already created under Admin > Certificate Management. Select the local certificate authority from the drop-down that appears when you select this option.

URL

Enter the URL for the SCEP server.

CA Identifier

Enter the identifier provided by the certificate authority.

Subject

Enter an X.500 name represented as a comma-separated array of OIDs and values. Typically, the subject is set to the user’s fully qualified domain name. For example, C=US,DC=com,DC=MobileIron,OU=InfoTech or CN=www.mobileiron.com.

You can also customize the Subject by appending a variable to the OID. For example, CN=www.mobileiron.com-$DEVICE_CLIENT_ID$.

For ease of configuration you can also use the $USER_DN$ variable to populate the Subject with the user’s FQDN.

Do not use the backslash character (\) in the subject name.

Subject Alternate Name Type

Select RFC 822 Name, DNS Name, Uniform Resource Identifier or None, based on the attributes of the certificate template.

Subject Alternate Name Value

Enter the value for the corresponding type. If you type '$' as the first character, a drop-down list is displayed with possible custom LDAP and AAD attributes. Select the appropriate custom attribute from the list.

If AAD value is used, only 'onPremisesImmutableId' is supported. Enter fn:base64tohex(${onPremisesImmutableId})

NT Principal Name

Enter a subject alt name for Microsoft environment. This would usually be configured to include the user's UPN (user principal name).

Challenge (Optional) Used as a pre-shared secret for automatic enrollment.

Retries

Select from the list to set the number of times that authentication will be attempted after the first time a status of 'pending' is returned.

Retry delay

Select from the list to set the number of seconds to wait before a retry.

Key size

Select 1024, 2048, or 4096 bits.

Use as digital signature

Select if the certificate can be used for signing.

Use as key encipherment

Select if the certificate can be used for encryption.

CA Fingerprint

If your certificate authority uses HTTP, enter the hex string to be used as the fingerprint of the CA’s certificate. MD5 fingerprints is supported.

If you prefer, you can create a fingerprint from the certificate. Just drag and drop the certificate to the designated area or click Create from Certificate to select the certificate from your file system.

SCEP Config - Windows Config

CA (Certificate Authority)

Select to specify a certificate authority that you have already created under Admin > Certificate Management. Select the certificate authority from the drop-down that appears when you select this option.

Subject

Enter an X.500 name represented as a comma-separated array of OIDs and values. Typically, the subject is set to the user’s fully qualified domain name. For example, C=US,DC=com,DC=MobileIron,OU=InfoTech or CN=www.mobileiron.com.

You can also customize the Subject by appending a variable to the OID. For example, CN=www.mobileiron.com-$DEVICE_CLIENT_ID$.

For ease of configuration you can also use the $USER_DN$ variable to populate the Subject with the user’s FQDN.

Do not use the backslash character (\) in the subject name.

Subject Alternate Name Type

Click + Add to select RFC 822 Name, DNS Name, Uniform Resource Identifier or None, based on the attributes of the certificate template.

Retries

Select from the list to set the number of times that authentication will be attempted after the first time a status of 'pending' is returned.

Retry delay

Select from the list to set the number of seconds to wait before a retry.

Key Length

Select key size in 1024, 2048, or 4096 bits.

Select usage

Select at least one option:

  • Use as digital signature - Select if the certificate can be used for signing.
  • Use as key encipherment - Select if the certificate can be used for encryption.
Validity Select validity in days, months, or years.

CA Thumbprint

If your certificate authority uses HTTP, enter the hex string to be used as the fingerprint of the CA’s certificate. MD5 fingerprints is supported.

If you prefer, you can create a fingerprint from the certificate. Just drag and drop the certificate to the designated area or click Create from Certificate to select the certificate from your file system.

Hash Algorithm Family Select SHA-2 or SHA-3 algorithms.

When applying an Identity Certificate to a work profile on a device without setting a work challenge passcode, the device prompts for a device passcode, rather than a work challenge passcode.

Distributing the configuration

Starting from Ivanti Neurons for MDM release 81, global administrators can delegate space administrators to edit the Dynamically Generated Identity Certificate for All Devices and for the Custom distribution option. For the Dynamically Generated certificates, you can optionally select the Allow this configuration to be available in all Spaces option. This option makes Dynamically generated Identity Certificate available to all Spaces and can be used in Exchange, Wifi, VPN and any other applicable configurations including the managed App configurations. This option can be used in scenarios where Dynamically Generated Identity certificate only needs to be distributed to devices (in non default Spaces) as part of associated configurations and not to be distributed as an individual configuration.

Procedure

  1. Specify the Identity Certificate settings fields using the information from the preceding table.
  2. Click Next.
  3. Select the Enable this configuration option.
  4. (Optional) Select Allow this configuration to be available in all Spaces.

  5. Select one of the following distribution options:
    • All Devices. Select one of the following options:
      • Do not apply to other spaces.
      • Apply to devices in other Spaces.
        • Select Allow Space Admin to Edit the Distribution check box to allow the delegated space administrators to edit the distribution for the specific space.
    • No Devices (default)
    • Custom Select one of the following options:
      • Do not apply to other spaces.
      • Apply to devices in other Spaces.
        • Select Allow Space Admin to Edit the Distribution check box to allow the delegated space administrators to edit the distribution for the specific space.

    Irrespective of spaces, Dynamically Generated Identity Certificate can be configured to all spaces, distributed to all devices, and applied to all devices in other device spaces.

  6. Click Done.