Mutual authentication between devices and MobileIron Core
MobileIron Core supports mutual authentication, which means that not only must the device trust MobileIron Core, but MobileIron Core must trust the device. Therefore, with mutual authentication, a registered device can continue to communicate with Core only if the device provides the right certificate to Core. Mutually authenticated communication between the device and MobileIron Core enhances security.
| NOTE: | A device authenticating to Core with a certificate is also known as certificate-based authentication to Core. |
- Scenarios that can use mutual authentication
- Core port usage with devices, with and without mutual authentication
- The mutual authentication setting on MobileIron Core
- When devices use mutual authentication
- Mutual authentication identity certificate for MobileIron Core
- Mutual authentication client identity certificate
- Handling client identity certificate expiration for Android devices
- Handling client identity certificate expiration for iOS devices
- Mutual authentication and Apps@Work
- Enabling mutual authentication for Apple and Android devices
- Enabling TLS inspecting proxy support when using mutual authentication
- Enabling mutual authentication for Apple and Android devices
- Enabling mutual authentication for Apple and Android devices
Scenarios that can use mutual authentication
The device can present a client identity certificate to MobileIron Core in the following cases:
|
Platform |
Mutual Authentication usage |
||||||||||||
|
iOS |
|
||||||||||||
|
macOS |
|
||||||||||||
|
Android |
|
||||||||||||
|
Windows 10 |
|
| NOTE: | Mutual authentication is not possible at the time Mobile@Work registers with Core, because the device receives its identity certificate during the registration process. |
Core port usage with devices, with and without mutual authentication
The following table summarizes MobileIron Core port usage for registration and further communication with devices. The port usage for some cases is different depending on whether mutual authentication is enabled.
|
|
Without mutual authentication |
With mutual authentication |
|
Mobile@Work for iOS |
9997 |
443 |
|
Mobile@Work for Android |
9997 |
443 |
|
Mobile@Work for macOS |
Not applicable. Mobile@Work for macOS always uses mutual authentication with Core. |
443 |
|
iOS and macOS MDM agent provisioning and agent check-in |
443 |
443 |
|
Windows 10 |
Not applicable. Windows 10 always uses mutual authentication with Core. |
443 |
| NOTE: | Port 9997 is configurable in the System Manager in Settings > Port Settings > Sync TLS Port. However, changing the port is rare. |
The mutual authentication setting on MobileIron Core
The setting on MobileIron Core to enable mutual authentication is in the Admin Portal in Settings > System Settings > Security > Certificate Authentication. Whether the setting is automatically selected on new installations and upgrades is described by the following table.
|
|
Setting to enable mutual authentication |
|
New installations |
Not selected. Mutual authentication is not enabled. |
|
Upgrade from a previous version of Core in which mutual authentication was not enabled. Or Upgrade from a version of Core prior to Core 9.7.0.0 in which the Android mutual authentication setting was not enabled. |
Not selected. Mutual authentication is not enabled.
|
|
Upgrade from a previous version of Core in which mutual authentication was enabled. Or Upgrade from a version of Core prior to Core 9.7.0.0 in which the Android mutual authentication setting was enabled. |
Selected. Mutual authentication is enabled. |
| IMPORTANT: | Once mutual authentication is enabled on Core, it cannot be disabled. |
The mutual authentication setting impacts mutual authentication usage only on:
- Mobile@Work for Android
- Apps@Work for Android
- However, to enable mutual authentication for Apps@Work for Android:
- You must also select Certificate Authentication for Apps@Work at Apps > Apps@Work Settings > App Storefront Authentication.
- The device must be using Mobile@Work 10.2.0.0 for Android through the most recently released version as supported by MobileIron.
- Mobile@Work 9.8 for iOS through the most recently released version as supported by MobileIron
- iOS MDM
- macOS MDM
The mutual authentication setting has no impact on mutual authentication usage on:
-
Versions of Mobile@Work for iOS prior to Mobile@Work 9.8
These versions of Mobile@Work for iOS never use mutual authentication.
-
Apps@Work for iOS
Apps@Work for iOS uses mutual authentication if you select Certificate Authentication for Apps@Work at Apps > Apps@Work Settings > App Storefront Authentication.
-
Mobile@Work for macOS
Mobile@Work for macOS always uses mutual authentication.
-
Windows 10 devices
Windows 10 devices always uses mutual authentication.
When devices use mutual authentication
Whether devices use mutual authentication depends on:
- the device platform
- whether mutual authentication was enabled before upgrade
- whether mutual authentication is enabled after upgrade
- whether mutual authentication is enabled after a new installation
- for Mobile@Work for iOS, the version of Mobile@Work
The following table summarizes when devices use mutual authentication and the port they use in communication with MobileIron Core.
|
|
New Core installation
or
Core upgrade MA setting was NOT enabled before upgrade |
New Core installation in which you enable MA setting after installation.
or
Core upgrade in which: MA setting was NOT enabled before upgrade but you enable it after the upgrade. |
Core upgrade in which:
MA setting WAS enabled before upgrade |
||||||||||||||||||||||||
|
Mutual authentication setting |
Not enabled |
Enabled |
Enabled |
||||||||||||||||||||||||
|
Device client |
|||||||||||||||||||||||||||
|
Android: Mobile@Work (all Mobile@Work versions that Core supports) |
Port: 9997 MA: not used |
Devices that register after enabling MA:
Devices that were already registered:
|
Port: 443 MA: used |
||||||||||||||||||||||||
|
iOS: Mobile@Work 9.8 through the most recently released version as supported by MobileIron |
Port: 9997 MA: not used |
Devices that register after enabling MA:
Devices that were already registered:
|
Devices that register after enabling MA:
Devices that were already registered:
|
||||||||||||||||||||||||
|
iOS: Mobile@Work versions prior to 9.8 |
Port: 9997 MA: not used |
Port: 9997 MA: not used |
Port: 9997 MA: not used |
||||||||||||||||||||||||
|
iOS: iOS MDM check-in |
Port: 443 MA: not used |
Port: 443 MA: used |
Port: 443 MA: used. |
||||||||||||||||||||||||
|
macOS: Mobile@Work |
Port: 443 MA: used |
Port: 443 MA: used |
Port: 443 MA: used |
||||||||||||||||||||||||
|
macOS macOS MDM agent check-in |
Port: 443 MA: not used |
Port: 443 MA: used |
Port: 443 MA: used |
||||||||||||||||||||||||
|
Windows 10
|
Port: 443 MA: used |
Port: 443 MA: used |
Port: 443 MA: used |
||||||||||||||||||||||||
| NOTE: | On new MobileIron Core installations (not upgrades), if you enable mutual authentication before any devices register, you can disable port 9997 (in the System Manager in Settings > Port Settings > Sync TLS Port) because it is not used. If devices were registered before enabling mutual authentication, disabling the port causes those devices to not be able to check-in. |
Mutual authentication identity certificate for MobileIron Core
You provide an identity certificate for MobileIron Core to use in mutual authentication in the Portal HTTPS certificate. You configure this certificate on the System Manager at Security > Certificate Mgmt. The certificate is the identify certificate and its certificate chain, including the private key, that identifies MobileIron Core, allowing the devices to trust MobileIron Core. This certificate must be a publicly trusted certificate from a well-known Certificate Authority when using mutual authentication.
Mutual authentication client identity certificate
You enable mutual authentication for iOS and Android devices in the Admin Portal in Settings > System Settings > Security > Certificate Authentication. When enabling that setting, you specify a certificate enrollment setting. The certificate enrollment setting specifies how the identity certificate that the device will present to Core is generated.
By default, the certificate enrollment setting for mutual authentication is generated with Core as a local Certificate Authority (CA). Most customers use the default selection. However, if necessary due to your security requirements, you can instead specify a SCEP certificate enrollment setting that you create.
| IMPORTANT: |
- If you use a SCEP certificate enrollment setting for mutual authentication, you cannot use it for any other purpose. For example, you cannot use it in VPN or wi-fi configurations.
- If you use a SCEP certificate enrollment setting that uses an intermediate CA, make sure that all the intermediate CA certificates and the root CA certificate are included in MobileIron Core's trusted root certificates. See "Managing trusted certificates" in the Getting Started with MobileIron Core
- See:
Handling client identity certificate expiration for Android devices
Mobile@Work 10.1 for Android handles the expiration of the client identity certificate used for mutual authentication between Mobile@Work for Android and MobileIron Core. In the Admin Portal, on the sync policy for the device, specify a renewal window for the certificate. The renewal window is a number of days prior to the certificate expiration. When Mobile@Work determines the renewal window has begun, it requests a new certificate from Core.
If Mobile@Work is out of contact with Core during the renewal window, but is in contact again within 30 days after the expiration, Mobile@Work requests a new certificate from Core.
If Mobile@Work is not in contact with Core either during the renewal window or within 30 days after the expiration, the device will be retired and will need to re-register with Core.
Mobile@Work versions prior to 10.1 do not support certificate expiration. When the certificate expires, the device user must re-register Mobile@Work.
Procedure
- In the Admin Portal, go tos Policies & Configs > Policies.
- Select the appropriate sync policy.
-
For Mutual Certificate Authentication Renewal Window, enter the number of days prior to the expiration date that you want to allow devices to renew their identity certificate. Enter a value between 1 and 60.
NOTE: A blank value defaults to 60 days. - Click Save.
- Click OK.
Handling client identity certificate expiration for iOS devices
Mobile@Work 11.1.0 for iOS handles the expiration of the client identity certificate used for mutual authentication between Mobile@Work for iOS and MobileIron Core version 10.3.0.0 through the most recently released version as supported by MobileIron. In the Admin Portal, on the sync policy for the device, specify a renewal window for the certificate. The renewal window is a number of days prior to the certificate expiration. When Mobile@Work determines the renewal window has begun, it requests a new certificate from Core.
If Mobile@Work is out of contact with Core during the renewal window, but is in contact again within 30 days after the expiration, Mobile@Work requests a new certificate from Core.
If Mobile@Work is not in contact with Core either during the renewal window or within 30 days after the expiration, the device will be retired and will need to re-register with Core.
Mobile@Work versions prior to 11.1.0 do not support certificate expiration. When the certificate expires, the device user must re-register Mobile@Work.
Procedure
- In the Admin Portal, go to Policies & Configs > Policies.
- Select the appropriate sync policy.
-
For Mutual Certificate Authentication Renewal Window, enter the number of days prior to the expiration date that you want to allow devices to renew their identity certificate. Enter a value between 1 and 60.
NOTE: A blank value defaults to 60 days. - Click Save.
- Click OK.
Mutual authentication and Apps@Work
Both Apps@Work for Android and Apps@Work for iOS can use mutual authentication.
Apps@Work for iOS uses mutual authentication if you select Certificate Authentication at Apps > Apps@Work Settings > App Storefront Authentication. It does not depend on the mutual authentication setting at Settings > System Settings > Security > Certificate Authentication.
However, Apps@Work for Android uses mutual authentication only if you do both of the following:
- Select Certificate Authentication at Apps > Apps@Work Settings > App Storefront Authentication.
- Enable the mutual authentication setting at Settings > System Settings > Security > Certificate Authentication.
- "Setting up Apps@Work for iOS and macOS" in the MobileIron Apps@Work Guide
- "Apps@Work in Mobile@Work for Android in the MobileIron Apps@Work Guide
Enabling mutual authentication for Apple and Android devices
The MobileIron Core mutual authentication setting enables mutual authentication for:
- Mobile@Work for Android
-
Apps@Work for Android
- You must also select Certificate Authentication for Apps@Work at Apps > Apps@Work Settings > App Storefront Authentication.
- The device must be using Mobile@Work 10.2.0.0 for Android through the most recently released version as supported by MobileIron.
- Mobile@Work 9.8 for iOS through the most recently released version as supported by MobileIron
- iOS MDM
- macOS MDM
Note The Following:
- The setting is automatically enabled in the cases described in The mutual authentication setting on MobileIron Core.
- After you enable mutual authentication, you cannot disable it.
Before you begin
-
As discussed in in Mutual authentication client identity certificate, create a SCEP certificate enrollment setting if you do not want to use the default local certificate enrollment setting for mutual authentication. The SCEP setting must select the Decentralized option. For details, see Certificate Enrollment settings.
NOTE: When you enable mutual authentication, change the certificate enrollment selection for mutual authentication before any more devices register. Any devices already registered and using mutual authentication will not be able to check-in with Core. Those devices will need to re-register with Core. Note that devices already registered but not using mutual authentication can continue to check-in. - If you are using iOS devices with the Apps@Work web clip using certificate authentication, change the Apps@Work Port field in the System Manager in Settings > Port Settings. MobileIron recommends port 7443. However, you can use any port except the port that the Admin Portal uses, which is either 443 or 8443, which you specify in the MIFS Admin Port field in the System Manager in Settings > Port Settings.
Procedure
- In the Admin Portal, go to Settings > System Settings > Security > Certificate Authentication.
- Select Enable client mutual certification on Android client, iOS client and Apple MDM communication.
- In the Certificate Enrollment Configuration field, most customers use the default selection. Otherwise, select a SCEP certificate enrollment setting.
- Click Save.
- “Setting up Apps@Work for iOS and macOS” in the MobileIron Apps@Work Guide
- "Port settings" in the MobileIron Core System Manager Guide
- “Apps@Work for Android authentication to MobileIron Core” in the MobileIron Apps@Work Guide
Enabling TLS inspecting proxy support when using mutual authentication
Contact MobileIron Professional Services or a MobileIron certified partner to set up this deployment.
MobileIron Core can support a TLS inspecting proxy to handle HTTPS requests from your devices to MobileIron Core when using mutual authentication. For example, you can use a TLS offload proxy such as an Apache or F5 server. This proxy is also known as a Trusted Front End. It intercepts and decrypts HTTPS network traffic and when it determines that the final destination is MobileIron Core, it re-encrypts and forwards the traffic to Core. The devices that register to Core (using port 443) must send HTTPS requests to the TFE rather than to MobileIron Core. Also, the TFE must be provisioned with digital certificates that establish an identity chain of trust with a legitimate server verified by a trusted third-party certificate authority.
"Advanced: Trusted Front End" in the MobileIron Core System Manager Guide.
Migrating Mobile@Work for Android to use mutual authentication
For devices that register after enabling mutual authentication, Mobile@Work uses port 443 for device check-ins. However, devices that were already registered continue to use port 9997. You can migrate Mobile@Work for Android from using port 9997 without mutual authentication to using port 443 with mutual authentication. The device users do not need to re-register with MobileIron Core.
Before you begin
Instruct Android device users to upgrade to Mobile@Work 10.1 for Android through the most recently released version as supported by MobileIron. Prior Mobile@Work releases do not support migration.
Procedure
- In the Admin Portal, go to Policies & Configs > Policies.
- Select the sync policy for the devices that you want to migrate. Select Edit.
- In the Modify Sync Policy dialog box, select Migrate Mobile@Work Client.
- Click Save.
- Click OK.
On the next device check-in, MobileIron Core will send the mutual authentication client identity certificate to the device. In all subsequent device check-ins, the device will use mutual authentication on port 443.
On that first device check-in, the device's client migration status changes to Pending. After Core has sent the mutual authentication client identity certificate to the device, the client migration status changes to Success. You can search on this value in the Client Migration Status field in Advanced Search on Devices & Users > Devices.