Supported certificate scenarios

MobileIron supports the following certificate scenarios:

• MobileIron Core as a certificate authority
• Using MobileIron Core as a certificate proxy
• Using MobileIron Core as a certificate enrollment reverse proxy

MobileIron Core as a certificate authority

You can configure MobileIron Core as a local certificate authority (CA) for the following scenarios:

• Core as an Independent Root CA (self-signed)—Configure Core as an independent root certificate authority if you are using a self-signed certificate. Use this option if your company does not have its own certificate authority and you are using Core as the certificate authority.
• Core as an Intermediate CA—Use this option when your company already has its own certificate authority. Using Core as an Intermediate CA gives your mobile device users the advantage of being able to authenticate to servers within your company intranet.

Using MobileIron Core as a certificate proxy

MobileIron Core can act as a proxy to a 3rd party CA by using APIs exposed by the 3rd party CA or the SCEP protocol to obtain certificates required by a Certificate Enrollment. This enables you to configure certificate-based authentication for devices.

Using Core as a certificate proxy has the following benefits:

• Certificate verifies Exchange ActiveSync, Wi-Fi and/or VPN connections, eliminating the need for passwords that are complex to manage
• MobileIron can manage certificates by checking status against a CA's CRL, deactivating revoked certificates and requesting replacement when certificates are about to expire
• MobileIron can detect and address certificate renewal and ensure that devices cannot reconnect to enterprise resources if they are out of compliance with company policies.
• Simplified enrollment with the following:
  • MS Certificate Enrollment
  • Entrust
  • Local CA
  • Symantec Managed PKI
  • User provided certificates
  • Open Trust
  • Symantec Web Services Managed PKI

The following applications are supported.

• ActiveSync is supported with Email+ and the iOS native mail client.
• VPN is supported on and on iOS with IPSec, Cisco AnyConnect, and JunOS Pulse .
• Wi-Fi.

The following certificates are supported for iOS devices:

• Microsoft NDES Certificate Enrollment
• Entrust
• Local CA
• Symantec Managed PKI
• User provided certificates
• Open Trust
• Symantec Web Services Managed PKI
• Client-Provided certificates
• Client-provided certificates using the native SCEP client on iOS

For information about how to create certificate enrollment settings in MobileIron Core, see Certificate Enrollment settings.

Using MobileIron Core as a certificate enrollment reverse proxy

Identity certificates with Microsoft Certificate Enrollment are supported. A root or intermediate certificate from a trusted certificate authority (CA) is required, and you must set up MobileIron Core to act as a SCEP reverse proxy.

Windows devices originate the certificate request. When the Windows device requests a certificate, the MobileIron Core acts as a Certificate Enrollment reverse proxy and communicates with the Certificate Enrollment server to deliver the certificate to the device.