Certificate Enrollment settings

Certificate enrollment settings are used as follows:

  • As part of a larger process of setting up a certificate enrollment server to support authentication for VPN on demand, Wi-Fi, Exchange ActiveSync, AppTunnel and so on.
  • To provide devices identity certificates that you uploaded to Core for the case when you want to provide the same identity certificate to many users’ devices.
  • To provide user-provided certificates to devices when end users use the MobileIron Core user portal to upload their identity certificates to Core.
  • To specify that AppConnect apps on devices use derived credentials.

The available options are:

  • Blue Coat: Select Blue Coat to create a Blue Coat certificate enrollment setting for integrating with the Blue Coat Mobile Device Security service.
  • Client-Provided: Select Client-Provided if you want AppConnect apps to use derived credentials for authentication, digital signing, or encryption.
  • Entrust: Select Entrust if you are using the Entrust Datacard certificate enrollment solution.
  • GlobalSign: Select GlobalSign if you are using GlobalSign as the CA for certificate enrollment.
  • Local: Select Local if you are using MobileIron Core as the CA.
  • OpenTrust: Select OpenTrust if you are using the OpenTrust integration. See Certificate Enrollment settings.
  • Single File Identity: Select Single File Identity to upload an identity certificate for distribution to devices.

  • SCEP: Select SCEP for standard certificate-based authentication using a separate CA.

    NOTE: SCEP Configurations created before upgrading to Core 7.0.0.0 or later should be replaced with a new SCEP Configuration. Failure to do so might result in cert renewal failure from Core 9.4.0.0.
  • Symantec Managed PKI: Select Symantec Managed PKI if you are using Symantec’s Certificate Enrollment solution. See Certificate Enrollment settings” for more information.
  • Symantec Web Services Managed PKI: Select Symantec Web Services Managed PKI if you are using the Symantec Web Services Managed PKI solution. See Certificate Enrollment settings for more information.
  • User-Provided: Select User-Provided if device users will upload their personal certificates. The user portal includes a certificate upload section for this purpose. A web services API is also available for you to upload user-provided certificates.

If Certificate Enrollment integration is not an option

If Certificate Enrollment integration is not an option for your organization, consider configuring MobileIron Core as an intermediate or root CA. See Certificate Enrollment settings for more information.

Supported variables for certificate enrollment

The following variables are supported for the required and optional fields when configuring integration with supported Certificate Authorities (CA’s):

  • $EMAIL$
  • $USERID$
  • $FIRST_NAME$
  • $LAST_NAME$
  • $DISPLAY_NAME$
  • $USER_DN$
  • $USER_UPN$
  • $USER_LOCALE$
  • $DEVICE_UUID$
  • $DEVICE_UUID_NO_DASHES$
  • $DEVICE_UDID$
  • $DEVICE_IMSI$
  • $DEVICE_IMEI$
  • $DEVICE_SN$
  • $DEVICE_ID$
  • $DEVICE_MAC$
  • $DEVICE_CLIENT_ID$
  • $USER_CUSTOM1$
  • $USER_CUSTOM2$
  • $USER_CUSTOM3$
  • $USER_CUSTOM4$
  • $REALM$
  • $TIMESTAMP_MS$
  • $RANDOM_16$
  • $RANDOM_32$
  • $RANDOM_64$
  • $CONFIG_UUID$*

* This substitution variable works only for the values under the Subject Alternative Names section for the following configurations: Entrust, Local, SCEP, Symantec Managed KPI. It is used for Sentry certificate-based tunneling (CBT).

Certificate generation time

Certificate enrollment settings can be referenced from other settings on Core that require an identity certificate. Some settings that can reference certificate enrollment settings are Exchange settings, Email settings, Wi-Fi settings, VPN settings, AppConnect app configuration settings, Docs@Work settings, and Web@Work settings.

Most certificate enrollment settings cause an identity certificate to be generated. The identity certificate is generated at one of these times:

NOTE: Some certificate enrollment settings do not cause an identity certificate to be generated. Specifically, for user-provided certificate enrollment settings and single file identity certificate enrollment settings, the certificate is available on Core. For client-provided certificate enrollment settings, the certificate is available in Mobile@Work.

Early generation

Early generation occurs when you apply a label to a setting that references the certificate enrollment setting. Core generates identity certificates at this time for:

  • Exchange settings for Android devices
  • Email settings for Android devices
  • Wi-Fi settings for Android devices
  • VPN settings for Android devices
  • AppConnect app configurations
  • Docs@Work settings
  • Web@Work settings

For each device that has the same label as the setting, Core generates an identity certificate for the device for each setting that references the certificate enrollment setting. Core delivers the identity certificate to the device at a later time when Core delivers the setting to the device. Core delivers a setting to a device when the device checks in with Core.

NOTE: After Core generates an identity certificate, if Core does not send the certificate to a device within 14 days, Core deletes the certificate from its file system. The certificate will be generated on-demand.

On-demand generation

On-demand generation occurs when MobileIron Core sends a setting that references the certificate enrollment setting to the device. On-demand generation occurs for all settings (that reference a certificate enrollment setting) that are not listed in the early generation list above. A setting, including the certificate, is delivered to a device when the device checks in with MobileIron Core.