Advanced: Outgoing SSL Configuration

For outgoing SSL/TLS connections, Ivanti EPMM supports:

  • TLS protocol version TLS v1.2 (TLS v1.0 and TLS v1.1 are not supported)
  • A default set of disabled and selected cipher suites.

Use the Security > Advanced > Outgoing SSL Configuration options to configure the cipher suites to use for outgoing SSL/TLS connections from Ivanti EPMM to external servers. Use this feature to also:

  • Configure Ivanti EPMM to be PCI-DSS 3.1 compliant
  • Change the cipher suites and for outgoing SSL/TLS connections if you have particular security or performance requirements

The configuration impacts connections to all external servers. Examples of external servers are SCEP servers and Apple Push Notification Service (APNS).

Important Do not change the cipher suites unless you have specific security or performance requirements. Most customers do not need to take any actions.

Ivanti EPMM uses a Server Name Extension (SNI) when making outgoing TLS connections. SNI is used by TLS clients (in this case Core) to indicate to a TLS server which hostname the client is attempting to reach. In the case where a single server is responding to multiple hostnames, using a SNI allows the server to respond with the correct TLS certificate to match the client's request. No Ivanti EPMM configuration is required for using SNI.

This section includes the following topics:

Protocols and cipher suites on Ivanti EPMM first-time installation

On first-time installation, MobileIron Ivanti EPMM supports:

  • Protocol version TLSv1.2
  • Default and selected cipher suites as displayed in the System Manager at Security > Advanced > Outgoing SSL Configuration.

Do not change the cipher suites until you have determined the cipher suites required for your external servers. See Determining which servers use which protocol versions and cipher suites for details.

Protocols and cipher suites on Ivanti EPMM upgrades

Protocol versions for outgoing connections on upgrade

When you upgrade to this Ivanti EPMM version, the selected and disabled protocol versions are as follows, regardless what they were set to before the upgrade:

  • Selected: TLSv1.2
  • Disabled: None

TLS v1.2 is the only supported protocol and cannot be moved to the disabled list.

Cipher suites for outgoing connections on upgrade

When upgrading Core, Ivanti EPMM uses the disabled and selected sets of cipher suites that you used in the Ivanti EPMM from which you upgraded. The exception to this rule is when a Ivanti EPMM release removes cipher suites. In that case, the removed cipher suites are no longer available to select after upgrade.

Note that Ivanti EPMM has a default set of selected and disabled cipher suites. Ivanti EPMM uses these default sets after upgrades only if you use the Reset to Default button. The default sets have changed in various Ivanti EPMM releases. Therefore, if your upgrade path took you through a release that changed the default sets, use the Reset to Default button only with caution as described in Changing to the default set of cipher suites for outgoing connections.

The default sets changed in:

  • Ivanti EPMM 10.2.0.0
  • Ivanti EPMM 10.3.0.0
  • Ivanti EPMM 11.4.0.0

Protocol version negotiation for outgoing SSL/TLS connections

Because Ivanti EPMM supports only TLSv1.2, outgoing SSL/TLS connections fail if they are to a server that does not support TLSv1.2.

Determining which servers use which protocol versions and cipher suites

Ivanti EPMM uses only the TLSv1.2 protocol for outgoing connections to external servers. If an external server is not configured to use TLSv1.2, connections to it from Ivanti EPMM will fail. Change the external server to use TLSv1.2.

Ivanti provides a utility that can determine the TLS protocols used in outgoing connections. See the https://community.mobileiron.com/docs/DOC-9256.

Regarding cipher suites, before you change which cipher suites to use to connect with external servers, make sure you know what the external servers require.

The System Manager screen at Security > Advanced > Outgoing SSL can help inform you of this information.

The Disabled and Selected lists mean the following:

Table 32.  Available and Selected lists

Fields

Description

Disabled

The cipher suite is available in Ivanti EPMM, but it is disabled. Therefore, Ivanti EPMM will not use it in any connections to external servers.

If the cipher suite is colored red, it is a legacy cipher suite that was in a Ivanti EPMM version that was in your upgrade path. It is not in the set of the current Ivanti EPMM version.

Selected

Ivanti EPMM can use the cipher suite in a connection to an external server.

If the cipher suite is colored red, it is a legacy cipher suite that was in a Ivanti EPMM version that was in your upgrade path. It is not in the set of the current Ivanti EPMM version.

An asterisk (*) on a protocol or cipher suite means the following:

Table 33.  Asterisk, protocol, cipher suite

Asterisk (*)

Description

Asterisk ( *) on a Disabled cipher suite protocol

The cipher suite is required by an external server. A connection attempt failed because the external server does not support any of the selected cipher suites.

Hover your mouse over the cipher suite. The display lists the external servers to which connections failed because that protocol or cipher suite was not in the Selected set.

Example  

2 endpoints have negotiated this protocol or cipher since 4 Feb 2020 01:53:04 GMT

Endpoints:

  • mdmenrollment.apple.com/17.146.232.35:443
  • accounts.google.com/216.58.192.45:443

Asterisk ( *) on a Selected cipher suite or protocol

The protocol or cipher suite was used in a connection to an external server.

Hover your mouse over the protocol or cipher suite. The display lists the external servers that have connected to Ivanti EPMM using that protocol or cipher suite.

Example  

1 endpoints have negotiated this protocol or cipher since 4 Feb 2020 01:53:04 GMT

Endpoints:

  • appgw.mobileiron.com/199.127.91.250:443

To populate the usage information indicated by the asterisks:

  • Run Ivanti EPMM for a two or three days, giving time to attempt most outgoing SSL/TLS connections.
  • In the Admin Portal, go to Services > Overview and click Verify All. This action makes connection attempts to many external servers.

After the usage information has been populated, you can determine:

  • Cipher suites in the Disabled list that you must move to the Selected list because at least one external server requires it. Alternatively, you can reconfigure the external server to support a selected cipher suite.
  • Cipher suites in the Selected list that you can move to the Disabled list, because no external servers use it. Typically, this is because you are using a stronger cipher suite.

Notes

  • Ivanti EPMM clears the asterisks and associated usage information once a week.
  • The weekly collection period begins when you restart Ivanti EPMM, or when you click Apply to change the cipher suite choices.
  • To see up-to-date asterisk information, click on Security > Advanced > Outgoing SSL Configuration.

Configuring outgoing SSL/TLS connections

Ivanti recommends that you use the default cipher suites for outgoing SSL/TLS connections. Most customers do not need to change them. However, if you have specific security or performance requirements, you can change the choices. Before changing the cipher suites used in outgoing SSL/TLS connection, see Determining which servers use which protocol versions and cipher suites for details.

Prerequisites for configuring outgoing SSL/TLS connections

The following conditions must be met to configure outgoing SSL/TLS connections:

  • Configure outgoing SSL/TLS connections only from the primary Ivanti EPMM for HA configurations. Configuring outgoing SSL connections from the second or third instance of Ivanti EPMM is not supported since the Tomcat service will be down in the second and third Core.
  • The administrator configuring the outgoing SSL/TLS connections in the System Manager must also be an administrator in the Admin Portal.

Configuring the cipher suites for outgoing SSL/TLS connections

You can configure the cipher suites for outgoing SSL/TLS connections.

You cannot disable the protocol TLSv1.2. If you move it to the Disabled list and click Apply, Ivanti EPMM displays an error message. Move TLSv1.2 back to the Selected list before reclicking Apply.

Procedure 

To change the cipher suites for outgoing SSL/TLS connections:

  1. Log into System Manager.
  2. Go to Security > Advanced > Outgoing SSL Configuration.
  3. Go to the Cipher Suites section.
  4. Click and drag cipher suites between the Disabled and Selected lists to select the cipher suites to use for outgoing SSL/TLS connections.
  5. List the cipher suites in order, from highest preference to lowest by dragging each cipher suite up or down in the Selected list.

    Each external server uses the listed order in determining which cipher suite to use of the cipher suites that it supports. Therefore, Ivanti suggests you list the strongest cipher suites first.

  6. Click Apply > OK.

    Ivanti EPMM Tomcat service, which supports web requests to and from Core, automatically restarts.

Changing to the default set of cipher suites for outgoing connections

When you upgrade Core, the set of outgoing SSL/TLS protocols and cipher suites on your MobileIron Ivanti EPMM are the ones described in Protocols and cipher suites on Ivanti EPMM upgrades.

You can change the cipher suite set to a set of your choice. You can also change to the default Ivanti EPMM set using the Reset to Default on the System Manager’s Security > Advanced > Outgoing SSL screen.

Most customers do not need to make any changes. However, you can change Ivanti EPMM to use the Ivanti EPMM default set of cipher suites if you have specific security requirements.

Do not click Reset to Default unless:

  • You have specific security or performance requirements to use the Ivanti EPMM set of cipher suites. Most customers do not need to take any action.
  • You have identified the cipher suites required for your external servers, and have confirmed that they are included in the default set of cipher suites.

For example, after an upgrade, an external server that depends on a legacy cipher suite that is not in the default set of cipher suites can connect to Core. However, after you click Reset to Default, that server will not be able to connect to Core.

Therefore, see Determining which servers use which protocol versions and cipher suites before you click Reset to Default.

Procedure 

To change the configuration to the Ivanti EPMM default set of strong cipher suites:

  1. Log into System Manager.
  2. Go to Security > Advanced > Outgoing SSL Configuration.
  3. Click Reset to Default.
  4. Click Apply > OK.

    Ivanti EPMM Tomcat service, which supports web requests to and from Core, restarts automatically.

External servers connected to with outgoing SSL connections

Ivanti EPMM uses outgoing SSL/TLS connections to various external servers. Ivanti EPMM uses the TLSv1.2 protocol for these connections. If an external server is not configured to use TLSv1.2, change the external server to use TLSv1.2.

Some of these external servers are:

  • Standalone Sentry
  • Connector
  • SCEP servers
  • LDAP servers
  • Ivanti EPMM Gateway
  • Apple Push Notification Service (APNS)
  • Content Delivery Network servers
  • MobileIron support server (support.mobileiron.com)
  • Outbound proxy for Gateway transactions and system updates
  • SMTPS servers
  • Public app stores (Apple, Google, Windows)
  • Apple License servers
  • Apple Device Enrollment servers
  • Android for Work servers