Configuring a client-provided certificate enrollment setting

This section covers client-provided certificate enrollment settings.

Client-provided certificate enrollment settings are applicable only to iOS and Android devices.

Overview of client-provided certificate enrollment settings

Derived credentials are identity certificates derived from the certificates on a smart card. The derived credentials are stored on the device in Mobile@Work on iOS devices, and in Secure Apps Manager on Android devices. AppConnect apps on mobile devices can use derived credentials for these purposes:

• authentication to backend servers, such as email servers, web servers, or app servers
• digital signing
• encryption
• decryption of older emails for which the original encryption certificate has expired (iOS only)
• authenticating the user to Standalone Sentry when using AppTunnel with Kerberos authentication to the backend server

You create a client-provided certificate enrollment setting when you want an AppConnect app to use derived credentials for one of these purposes. You then refer to the client-provided certificate enrollment in the appropriate setting.

NOTE:

The certificate enrollment setting is called client-provided because Mobile@Work for iOS or Secure Apps Manager for Android, known as client apps, provide the identity certificate to the AppConnect app.

Only the following settings can refer to a client-provided certificate enrollment setting:

• AppConnect app configuration

  It can refer to a client-provided certificate enrollment setting in:

  • the value in a key-value pair in its App-specific Configurations section
  • the identity certificate in its AppTunnel Rules section

• Web@Work setting

  It can refer to a client-provided certificate enrollment setting in:

  • the value in a key-value pair in its Custom Configurations section
  • the identity certificate in its AppTunnel Rules section

• Docs@Work setting

  It can refer to a client-provided certificate enrollment setting in:

  • the value in a key-value pair in its Custom Configurations section
  • the identity certificate in its AppTunnel Rules section

Make sure the version of Mobile@Work for iOS or the Secure Apps Manager for Android on the device supports client-provided certificate enrollment settings as shown in the following table:

Reference to the client-provided certificate enrollment setting	iOS:   Mobile@Work prior to 8.5	iOS:   Mobile@Work 8.5 and 8.6	iOS:   Mobile@Work 9.0 through the most recently released version as supported by MobileIron	Android:   All versions of Secure Apps Manager supported or compatible with MobileIron Core
In key-value pairs	Not supported	Supported	Supported	Supported
In AppTunnel rules	Not supported	Not supported	Supported	Not supported

Related topics

• MobileIron Core Derived Credentials Guide
• MobileIron PIV-D Manager App for iOS Release Notes
• MobileIron PIV-D Entrust App for Android Release Notes

Specifying a client-provided certificate enrollment setting

To specify a client-provided certificate enrollment setting:

1. Go to Policies & Configs > Configurations.
2. Select Add New > Certificate Enrollment > Client-Provided.

3. In the New Client-Provided Certificate Enrollment Setting dialog box, use the following guidelines to specify your settings.

   Item	Description
   Name	Enter brief text that identifies this certificate enrollment setting.
   Description	Enter additional text that clarifies the purpose of this certificate enrollment setting.
   Select purpose	Select one of the following, depending on the intended use of the client-provided identity certificate: • Authentication • Decryption • Encryption • Signing
   Provider	Select the derived credential provider.

    Click Save.