Product Documentation

Managing Security and Identity

Dec 21, 2015

In Device Manager, you use certificates to create secure connections and authenticate users.

To establish a secure connection, a server certificate is required at one end of the connection. A root certificate of the Certificate Authority (CA) that issued the server certificate is required at the other end.

  • Server certificate. A server certificate certifies the identity of a server. Device Manager requires this type of digital certificate.
  • Root certificate. A root certificate identifies the CA that signed the server certificate. The root certificate belongs to the CA. The user device requires this type of digital certificate to verify the server certificate.

You can submit certificates for signing to a CA who signs the certificate and returns it to you.

In addition to certificates, you can configure security and identity in Device Manager in the following ways:

  • Configure Device Manager by using Microsoft Certificate Services to generate user certificates for certificate-based authentication with WIFI, VPN, and Exchange ActiveSync profiles. You can also configure Device Manager as the CA to generate requests and to issue device identity certificates with Microsoft Certificate Services.
  • Configure your own SAML service and identify provider in Device Manager. The SAML-based infrastructure can authenticate users and their mobile devices.
  • Include Secure Device in your license that is activated automatically when you install Device Manager. Secure Device provides a strong level of security for user devices.
  • Enable Strong ID that is a form of two-factor authentication. This provides extra security when enrolling devices in Device Manager.
  • Configure filters in Device Manager that work with Network Access Control. Filters set users devices to be either compliant or not compliant. If a device is not compliant, the device is blocked from accessing the internal network.

About XenMobile PKI

The XenMobile Public Key Infrastructure (PKI) Integration feature allows you to manage the distribution and life-cycle of security certificates used on your devices with great flexibility.

The main feature of the system is the PKI Entity. A PKI entity models back-end component for PKI operations. That component may be either local to XenMobile (internal) or a part of your corporate infrastructure (external, such as a Microsoft, RSA, or OpenTrust PKI). The PKI entity handles the back-end certificate issuance and revocation. It is the authoritative source for the certificate’s status. The XenMobile configuration will normally contain exactly one PKI Entity per back-end PKI component.

The second feature is the Credential Provider. A Credential Provider is a particular configuration of certificate issuance and life-cycle. It will control things like the certificate’s format (subject, key, algorithms) and the conditions for its renewal or revocation, if any. The Credential Providers delegate operations to the PKI Entities. In other words, while Credential Providers control when and with what data PKI operations are undertaken, PKI Entities control how those operations are performed. The XenMobile configuration will normally contain many Credential Provider per PKI Entity.

The third feature of the system are Server Certificates. Server Certificates are X.509 certificates used functionally by the PKI Entity or the Credential Provider configurations.