Identity Certificate

This section contains the following topics:

Identity certificate settings
Distributing the configuration

An identity certificate configuration defines a certificate authentication mechanism for mobile devices. Identity certificates are X.509 certificates (.p12 or .pfx). Also, the identity certificates can be generated dynamically using the Certificate Authority as a source. Before beginning, you should already know how you plan to distribute certificates to your mobile devices. You should also have configured any necessary certificate authority.

Starting from release 91, the Device Identity certificate for Apple devices is automatically renewed within 30 days of expiry. iOS devices receive renewed MDM certificates from Ivanti Neurons for MDM as part of the regular device check-in flow. However, iOS devices need to be re-enrolled with Ivanti Neurons for MDM when they are offline long enough for the MDM certificate to expire before a check-in that would have renewed the certificate before expiration.

SHA-1 certificates are deprecated while creating the identity certificates. You can choose other algorithms. While updating the certificates, if the older certificates use SHA-1, the same SHA-1 algorithm can be used. If the older certificates use an algorithm above SHA-1, then switching to SHA-1 is not allowed.
After configuring an identity certificate, you can click Test Configuration and continue to issue and verify the validity of the test certificate. An error may display by performing this test for a new or an existing dynamically generated identity certificate configuration if the subject name is the same as the local certificate authority. When this error message is displayed you should modify the identity certificate subject name which should be different from the local certificate authority subject name. For existing identity certificate configurations that are modified with the subject name, the certificates are re-issued and the configurations are re-pushed.

If you have setup the option to create a configuration without issuing test certificate for Dynamically Generated certificate distribution, click Continue.
While editing an existing identity certificate configuration (which is in turn used in a Sentry profile for Tunnel or AppTunnel), from the Actions menu you can select the Clear cached certificates and issue new ones with recent updates option if required. Non-cached certificates will be re-issued automatically.
When Identity certificates are assigned to Android apps, the user's app get Identity certificates without prompting the users to grant the permission (rather than app) to use the certificate. It includes all apps like Email+, Gmail, etc.
Email+ can be configured with a user provided identity certificate and pushed and assigned as an app configuration to Android enterprise devices. It is applicable only to Work Profile on Company Owned Device and Device Owner modes.

Identity certificate settings

Setting	What To Do
Name	Enter a name that identifies this configuration.
Description	Enter a description that clarifies the purpose of this configuration.
Certificate Distribution	Select the type of certificate distribution to set up: Single File: Upload an existing certificate for distribution to devices. Dynamically Generated: Create certificates on request using a local or external certificate authority. User provided: Create labels for the type of certificates to be uploaded by the user. When created, the user will be able to see the created labels (options) in the self-service portal, and upload certificates corresponding to these labels. Derived Credential : Specify one of the following usages for the derived credential: Authentication Encryption Signing Decryption SCEP Config: Specify how to request a certificate from a SCEP server. Select one of the following configurations: Apple Config Windows Config Your selection determines which options display in the rest of the form.
Allow All Apps to access Private Key (macOS 10.10+)	Applicable to: Single file, Dynamically Generated, User Provided, and SCEP Apple Config identity certificates. (Optional) For PKCS#12 certificates, enable the Allow All Apps to access Private Key option to allow all apps access to the private key. For example, this key can be used in cases where a password is requested from the user to allow access to a certificate used for VPN.
Single File
Identity Certificate data	Drag the certificate file to the dotted box, or click Choose File to select it from your file system.
Password	Enter the password protecting the PKCS#12 certificate file. This password is used for installation without prompting.
Dynamically Generated
Source	Select the local certificate authority from the drop-down. You should have already created this CA under Admin > Certificate Management.
Create configuration without issuing test certificate	Select the check box to create a configuration without issuing test certificate.
Windows only - Target Certificate Store	Admins can now select the Target Certificate Store on Windows devices.
User Provided
Certificate Display Name	Enter the name of the certificate. This certificate name is unique for a tenant and the user will be able to see the name in the self-service portal while uploading the certificate.
Delete the Private Key	Select this option to delete the private key of the certificate after n (1-30) days. You can also use the APIs provided by Ivanti Neurons for MDM for these operations. Refer to the Ivanti Neurons for MDM API Guide for more information about the APIs. If you try to use this certificate in any configuration (for example, to authenticate an application or to push a WiFi or a VPN configuration) after its private key has been deleted, the task will fail. Ensure that the task is performed before the private key is deleted.
Delete the Private Key after Days	Select the number of days (1-30) after which private keys of the certificate are cleared. Default value is 2 days.
Derived Credential
Derived Credential Usage	Select any of the following options: Authentication - To specify that the derived credential is used for authentication. Encryption - To specify that the usage of the derived credential is for encryption. Signing - To specify that the derived credential is used for signing. Decryption - To specify that the usage of the derived credential is for decryption.
Brand	Select the Derived Credential Provider that you use from the following options: Entrust Intercede Purebred To add custom derived credential providers that you use, see Derived Credential Providers.
ACME Config - Applicable only to iOS/iPadOS16+
Client Identifier	A unique string identifying a specific device
Directory URL	(Required) The directory URL of the ACME server. The URL must use the https scheme.
Extended Key Usage	The value is an array of strings. Each string is an OID in dotted notation. For instance, [”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”] indicates client authentication and email protection. The device requests this field for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
Key Size	(Required) The valid values for KeySize depend on the values of KeyType and HardwareBound. See those keys for specific requirements.
Key Type	(Required) The type of key pair to generate.
Subject	(Required) The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar corresponds to: [ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ] Dotted numbers can represent OIDs , with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). Type: [string]
Subject Alternate Name	The Subject Alt Name that the device requests for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
Key Usage	This value is a bit field. Bit 0x01 indicates digital signature. Bit 0x10 indicates key agreement. The device requests this key for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
Hardware Bound	If the Hardware bound is set to true the private key is bound to the device, and only then the Key Type must be ECSECPrimeRandom and Key Size must be 256 or 384.
Attest	If true, the device provides attestations describing the device and the generated key to the ACME server. When Attest is true, Hardware Bound must also be true.
SCEP Config - Apple Config
Identity Certificate (SCEP)	Select to specify a SCEP server.
Local Certificate Authority	Select to specify a local certificate authority that you have already created under Admin > Certificate Management. Select the local certificate authority from the drop-down that appears when you select this option.
URL	Enter the URL for the SCEP server.
CA Identifier	Enter the identifier provided by the certificate authority.
Subject	Enter an X.500 name represented as a comma-separated array of OIDs and values. Typically, the subject is set to the user’s fully qualified domain name. For example, C=US,DC=com,DC=MobileIron,OU=InfoTech or CN=www.mobileiron.com. You can also customize the Subject by appending a variable to the OID. For example, CN=www.mobileiron.com-$DEVICE_CLIENT_ID$. For ease of configuration you can also use the $USER_DN$ variable to populate the Subject with the user’s FQDN. Do not use the backslash character (\) in the subject name.
Subject Alternate Name Type	Select RFC 822 Name, DNS Name, Uniform Resource Identifier or None, based on the attributes of the certificate template.
Subject Alternate Name Value	Enter the value for the corresponding type. If you type '$' as the first character, a drop-down list is displayed with possible custom LDAP and AAD attributes. Select the appropriate custom attribute from the list. If AAD value is used, only 'onPremisesImmutableId' is supported. Enter fn:base64tohex(${onPremisesImmutableId})
NT Principal Name	Enter a subject alt name for Microsoft environment. This would usually be configured to include the user's UPN (user principal name).
Challenge	(Optional) Used as a pre-shared secret for automatic enrollment.
Retries	Select from the list to set the number of times that authentication will be attempted after the first time a status of 'pending' is returned.
Retry delay	Select from the list to set the number of seconds to wait before a retry.
Key size	Select 1024, 2048, or 4096 bits.
Use as digital signature	Select if the certificate can be used for signing.
Use as key encipherment	Select if the certificate can be used for encryption.
CA Fingerprint	If your certificate authority uses HTTP, enter the hex string to be used as the fingerprint of the CA’s certificate. MD5 fingerprints is supported. If you prefer, you can create a fingerprint from the certificate. Just drag and drop the certificate to the designated area or click Create from Certificate to select the certificate from your file system.
SCEP Config - Windows Config
CA (Certificate Authority)	Select to specify a certificate authority that you have already created under Admin > Certificate Management. Select the certificate authority from the drop-down that appears when you select this option.
Subject	Enter an X.500 name represented as a comma-separated array of OIDs and values. Typically, the subject is set to the user’s fully qualified domain name. For example, C=US,DC=com,DC=MobileIron,OU=InfoTech or CN=www.mobileiron.com. You can also customize the Subject by appending a variable to the OID. For example, CN=www.mobileiron.com-$DEVICE_CLIENT_ID$. For ease of configuration you can also use the $USER_DN$ variable to populate the Subject with the user’s FQDN. Do not use the backslash character (\) in the subject name.
Subject Alternate Name Type	Click + Add to select RFC 822 Name, DNS Name, Uniform Resource Identifier or None, based on the attributes of the certificate template.
Retries	Select from the list to set the number of times that authentication will be attempted after the first time a status of 'pending' is returned.
Retry delay	Select from the list to set the number of seconds to wait before a retry.
Key Length	Select key size in 1024, 2048, or 4096 bits.
Select usage	Select at least one option: Use as digital signature - Select if the certificate can be used for signing. Use as key encipherment - Select if the certificate can be used for encryption.
Validity	Select validity in days, months, or years.
CA Thumbprint	If your certificate authority uses HTTP, enter the hex string to be used as the fingerprint of the CA’s certificate. MD5 fingerprints is supported. If you prefer, you can create a fingerprint from the certificate. Just drag and drop the certificate to the designated area or click Create from Certificate to select the certificate from your file system.
Hash Algorithm Family	Select SHA-2 or SHA-3 algorithms.

When applying an Identity Certificate to a work profile on a device without setting a work challenge passcode, the device prompts for a device passcode, rather than a work challenge passcode.

For more information, see Working with Configurations.