Purchase third-party trusted certificates

Ivanti, Inc recommends using third-party certificates as follows:

  • trusted TLS/SSL certificates for Ivanti EPMM and Standalone Ivanti Sentry.
    • Ivanti EPMM Portal HTTPS: External hostname of Ivanti EPMM server.

      Allows a client (such as a browser or app) to trust Ivanti EPMM over ports 443 and 8443. You must use a publicly trusted certificate from a well-known Certificate Authority if you are using mutual authentication.

      Ivanti recommends to allow HTTPS traffic on port 8443 from the corporate network, limited to Ivanti applications only. This service is intended for EPMM server management and must have strictly controlled access.

    • Ivanti Sentry: External hostname of Ivanti Sentry server. Multiple sentries behind a load balancer will use the same external certificate.

      Allows a device to trust the Standalone Ivanti Sentry.

  • trusted TLS/SSL certificates for device enrollment
    • iOS Enrollment: External hostname of Ivanti EPMM server. In most cases, the certificate will be the same as the Ivanti EPMM Portal HTTPS certificate.

      Ivanti EPMM uses this identity certificate to sign the Apple MDM configurations that it sends to iOS and macOS devices.

    • Client TLS: External hostname of Ivanti EPMM, often the same as the Ivanti EPMM Portal HTTPS certificate.

      Allows Ivanti Mobile@Work for iOS and Android to trust Ivanti EPMM over port 9997 or port 443.

  • Obtain these certificates in advance to ensure appropriate lead time.
  • Typically the Portal HTTPS, iOS Enrollment, and Client TLS certificates are the same certificate. However, you can use different certificates. We recommend using separate certificates for different use cases.

“Certificates you configure on the Ivanti EPMM System Manager Guide” in the Ivanti EPMM System Manager Guide.