Duo Trusted Endpoints - Ivanti Neurons (formerly known as MobileIron Cloud) Managed Device Deployment

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from trusted and untrusted devices, and optionally block access from devices not trusted by your organization.

Trusted Endpoints is part of the Duo Essentials, Duo Advantage, and Duo Premier plans.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate or REST API access for Duo to your managed mobile devices. This guide walks you through Ivanti Neurons configuration for Android and iOS mobile devices.

These instructions are for the cloud-hosted Ivanti Neurons service, formerly known as MobileIron Cloud and Ivanti Secure UEM. If you are using MobileIron Core, see our instructions for the on-premises MDM instead.

Prerequisites

• Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
• An Ivanti Neurons Secure UEM license
• Access to the Ivanti Neurons MDM admin portal as an administrator with the rights to create roles, accounts, certificate authorities, and device profiles.

Android Configuration

Duo determines trusted device status on Android devices using Duo Mobile installed and activated for Duo Push on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your Ivanti Neurons MDM's API access.

You must have already configured Android Enterprise and Work Profiles in Ivanti Neurons/MobileIron Cloud.

Create the MobileIron Cloud Integration

1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
3. On the "Add Management Tools Integration" page, locate MobileIron Cloud in the list of "Device Management Tools" and click the Add this integration selector.
4. Choose Android from the "Recommended" options, and then click the Add button.

The new MobileIron Cloud integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Duo MobileIron Cloud management integration page to complete the Android configuration steps.

Configure Duo Mobile Distribution

1. Log on to the Ivanti Neurons admin portal as an administrator and click the Apps item on the left side of the page.

2. Click the Add button.

3. The default app catalog source may be set to the "iOS Store". Click the store drop-down list next to the search box and select the Google Play store from the list.

4. Once you've switched to the Google Play store, search for Duo Mobile, and then click on the Duo Mobile app shown in the search results.

   

5. Click the APPROVE button. You'll be shown the permissions needed by Duo Mobile. Click APPROVE again to accept these permissions.

6. Leave the "Approval Setting" for Duo Mobile set to the default option: "Keep approved when app requests new permissions." Click SAVE.

7. You'll return to the Duo Mobile application view, but now the app is "APPROVED". Click the Select button.

8. Make any desired app category selections or enter an optional description, and then click Next.

9. Since you already configured Android For Work (per the prerequisites), skip any further App Delegation and click Next.

10. Choose the user groups or individuals to whom you want to distribute Duo Mobile. Click Next.

11. Click the plus sign button to the right of Managed Configurations for Android to create a new configuration.

12. Give the configuration a unique name, such as "Duo Mobile Trusted Endpoint Config".

13. In the "Managed Configurations" section, locate the "Trusted Endpoint Identifier" field and enter ${deviceClientDeviceIdentifier} as the value.

14. Return to your MobileIron Cloud management integration page in the Duo Admin Panel.

15. Copy the "Trusted Endpoints Configuration Key" value from the Android Configuration Instructions of your MobileIron Cloud management integration (it will look similar to DPK0W0KLPJLOGSKHTDD). Paste this in Ivanti Neurons as the Trusted Endpoints Configuration Key value.

    

16. Click Next and then click Done.

Create a Duo API Account

1. While still logged into Ivanti Neurons as an administrator, navigate to the Users page.

2. Click the Add button and choose API User on the pop-up menu.

3. Enter the following information on the "Basic" tab form:

   Username	Enter the desired Duo account username.
   First Name and Last Name	Enter a first and last name for the Duo API user (e.g. "Duo" "Admin").
   Email Address	This will be automatically populated with the MobileIron username email address.
   Password and Confirm Password	Enter and confirm a strong password for the Duo admin user.

   Click the Done button to create the Duo API user.

   

4. Select the Duo API Admin user you just created by checking the box to the left of the username in the list of users. Click the Actions button and then click Append Roles. If you are viewing the details of the new Duo API user, click the Assign Roles icon underneath the user status information.

5. On the "Append Roles" or "Assign Roles to" page, check the boxes for the User Roles System Read Only (which also automatically includes "User Read Only") and Device Read Only. Click Next.

   

6. If you have additional spaces in your organization other than the "Default Space" make your appropriate selections from the available spaces and partitions for the "Device Read Only" role and then click Next.

   

7. Confirm your role and space selections and then click Done to assign the role privileges to the Duo API user.

   

Enter Ivanti Neurons Info in Duo

1. Return to your MobileIron Cloud management integration page in the Duo Admin Panel.

2. Enter the following information into the blank fields under step 2 of the MobileIron Cloud "Android Configuration Instructions" section:

   Email Address	Enter the email address (which is also the username) of the Duo API user you created in Ivanti Neurons.
   Password	Enter the password for the Duo API user you created in Ivanti Neurons.
   Domain Name	Enter your organization's Ivanti Neurons domain. For example, acmecorp.mobileiron.com.

3. Click the Test Configuration button to verify Duo's API access to your Ivanti Neurons instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Ivanti Neurons configuration steps and entered the right information in the Duo Admin Panel.

4. After you successfully test your configuration, click the Save & Configure Android Devices button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Verify Android Device Information with Search

After you configure the connection between Ivanti Neurons and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.

iOS Configuration

Duo determines trusted device status on iOS devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your Ivanti Neurons MDM's API access.

Before proceeding, install the Apple MDM Certificate for MobileIron Cloud to manage iOS devices.

Create the MobileIron Cloud with App Config Integration

1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
3. On the "Add Management Tools Integration" page, locate MobileIron Cloud in the list of "Device Management Tools" and click the Add this integration selector.
4. Choose iOS from the "Recommended" options, and then click the Add button.

The new MobileIron Cloud with App Config integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the MobileIron Cloud with App Config management integration page to complete the configuration steps.

Configure Duo Mobile Distribution

1. Log on to the Ivanti Neurons admin portal as an administrator and click the Apps item on the left side of the page.

2. Click the Add button.

3. The default app catalog source may be set to the "iOS Store". If not, click the store drop-down list next to the search box and select the iOS Store from the list.

4. Search for Duo Mobile in the iOS Store, and then click on the Duo Mobile app shown in the search results.

   

5. Click the Next button at the bottom of the page.

6. Set optional information on the "Description" page if you wish. Click Next.

7. Do not make any changes on the "App Delegation" page; click Next.

8. Choose the user groups or individuals to whom you want to distribute the Duo Mobile iOS application, or choose Everyone. Click Next.

9. On the "Configuration" page, click the plus sign next to Install on Device and set the Configuration Setup page information as follows:

   • Enter a name, like Duo Mobile Trusted Endpoint Config.

   • Toggle the "Device Installation Configurations" setting to On.

   • Check the box to enable Require Installation on device.

   • Check the box next to Enable MDM App Auto-Updates.

   • Check the box next to Convert to Managed App. Note that if Duo Mobile is not managed by MobileIron then MobileIron will not be able to send device identifiers to Duo to determine device trust during authentication.

   • Set "Distribute this App Config" to Everyone with App.

   Click Next when done to return to the "App Configurations" page.

10. Click the plus sign button next to Apple Managed App Configuration to create a new configuration.

11. Give the configuration a unique name, such as "Duo Mobile Trusted Endpoint Config".

12. In the "Apple Managed App Configuration" section, click +Add.

13. Return to your MobileIron Cloud with App Config management integration page in the Duo Admin Panel.

14. Copy the "Trusted Endpoints configuration Key" information from the MobileIron Cloud with App Config management integration. Paste this into the Key field in Ivanti Neurons.

15. Copy the "Trusted Endpoints configuration Value" information from the MobileIron Cloud with App Config management integration (it will look similar to DPK0W0KLPJLOGSKHTDD). Paste this into the Value field in Ivanti Neurons.

16. Change the "Type" to STRING.

17. Click +Add to add another AppConnect Custom Configuration item.

18. Return to your MobileIron Cloud with App Config management integration page in the Duo Admin Panel again and copy the "Trusted Endpoints identifier Key" information from the MobileIron Cloud with App Config management integration. Paste this into the Key field in Ivanti Neurons.

19. Copy the "Trusted Endpoints identifier Value" information from the MobileIron Cloud with App Config management integration (${deviceClientDeviceIdentifier}). Paste this into the Value field in Ivanti Neurons.

20. Change the "Type" to STRING.

21. After adding both AppConnect Custom Configuration items click Next to return to the "App Configurations" page.

    

22. Click Done to complete the configuration for Duo Mobile.

Create a Duo API Account

1. While still logged into MobileIron as an administrator, navigate to the Users page.

2. Click the Add button and choose API User on the pop-up menu.

3. Enter the following information on the "Basic" tab form:

   Username	Enter the desired Duo account username.
   First Name and Last Name	Enter a first and last name for the Duo API user (e.g. "Duo" "Admin").
   Email Address	This will be automatically populated with the MobileIron username email address.
   Password and Confirm Password	Enter and confirm a strong password for the Duo admin user.

   Click the Done button to create the Duo API user.

   

4. Select the Duo API Admin user you just created by checking the box to the left of the username in the list of users. Click the Actions button and then click Append Roles. If you are viewing the details of the new Duo API user, click the Assign Roles icon underneath the user status information.

5. On the "Append Roles" or "Assign Roles to" page, check the boxes for the User Roles System Read Only (which also automatically includes "User Read Only") and Device Read Only. Click Next.

   

6. If you have additional spaces in your organization other than the "Default Space" make your appropriate selections from the available spaces and partitions for the "Device Read Only" role and then click Next.

   

7. Confirm your role and space selections and then click Done to assign the role privileges to the Duo API user.

   

Enter Ivanti Neurons Info in Duo

1. Return to your MobileIron Cloud with App Config management integration page in the Duo Admin Panel.

2. Enter the following information into the blank fields in the "API Details" section:

   Email Address	Enter the email address (which is also the username) of the Duo API user you created in Ivanti Neurons.
   Password	Enter the password for the Duo API user you created in Ivanti Neurons.
   Domain Name	Enter your organization's Ivanti Neurons domain. For example, acmecorp.mobileiron.com.

3. Click the Test Configuration button to verify Duo's API access to your Ivanti Neurons instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Ivanti Neurons configuration steps and entered the right information in the Duo Admin Panel.

4. After you successfully test your configuration, click the Save & Configure button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Verify iOS Device Information with Search

After you configure the connection between Ivanti Neurons and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.

iOS Certificate Configuration

End of Life Information

New MobileIron Cloud certificate deployment management integrations may no longer be created as of October 2021. Consider migrating your certificate-based iOS MobileIron Cloud integration to MobileIron Cloud with App Config. See the Duo Knowledge Base article Guide to updating Trusted Endpoints iOS integrations from certificates to AppConfig for more information about migrating your iOS certificate-based management integrations to App Config.

These instructions remain available for customers who created these integrations before October 2021 and may need to reconfigure them. Duo continues to support existing MobileIron Cloud iOS certificate deployments and will do so until the integration reaches end-of-life status in a future update.

Duo verifies the trusted status of iOS devices by checking for the presence of a Duo device certificate. You'll use MobileIron Cloud to push the Duo CA information to your mobile devices so they can obtain a Duo certificate.

Create the MobileIron Cloud Integration

1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
3. On the "Add Management Tools Integration" page, locate MobileIron Cloud in the list of "Device Management Tools" and click the Add this integration selector.
4. Choose Certs for iOS from the "Legacy" options, and then click the Add button.

The new MobileIron Cloud integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the MobileIron Cloud management integration page to complete the iOS configuration steps.

Set Up the Cloud Connector

1. Log on to the MobileIron Cloud admin portal as an administrator and navigate to Admin → Connectors. Click Download the Connector to obtain the Cloud Connector installation ISO.

2. Deploy the MobileIron Cloud Connector in your on-premises VMWare environment, following the setup instructions in the Connector Installation Guide.

3. Ensure that your Connector successfully registered with your MobileIron Cloud tenant and has green online status on the Connectors page in the MobileIron admin portal before continuing on with the Duo CA configuration.

   

Add the Duo Certificate Authority

1. In the MobileIron Cloud admin portal, navigate to Admin → Certificate Authority and click the Add button.

2. Click the Continue button under the "Add an External Certificate Authority" option on the "Add Certificate Authority" page.

3. Enter the Duo Certificate Authority (CA) information from step 2 of the iOS Configuration Instructions on the MobileIron Cloud management integration page in the Duo Admin Panel as follows:

   Name	Enter a descriptive name, like "Duo CA".
   Certificate Authority Type	Microsoft
   SCEP URL	Paste in the SCEP URL from the "Add an External Certificate Authority (CA)" section of the iOS instructions on the MobileIron Cloud management integration page in the Duo Admin Panel.
   Username	Paste in the Username from the "Add an External Certificate Authority (CA)" section of the iOS instructions on the MobileIron Cloud management integration page in the Duo Admin Panel.
   Password	Paste in the Password from the "Add an External Certificate Authority (CA)" section of the iOS instructions on the MobileIron Cloud management integration page in the Duo Admin Panel.
   Challenge URL	Paste in the Challenge URL from the "Add an External Certificate Authority (CA)" section of the iOS instructions on the MobileIron Cloud management integration page in the Duo Admin Panel.

   Click Save after entering all the required information to move to the next steps of adding an identity certificate configuration.

   

Add an Identity Certificate Configuration

1. Go to the Configurations page using the top navigation. With the Default Partition selected in the far left drop-down menu, click the Add button.

2. Locate the Identity Certificate configuration type and click it to begin adding the new Duo configuration.

3. Enter the Identity Certificate configuration information from the MobileIron Cloud management integration page in the Duo Admin Panel as follows:

   Name	Enter a descriptive name, like "Duo Trusted Endpoints".
   Description	Enter additional information about this new configuration, if desired.
   Certificate Distribution	Dynamically Generated.
   Source	Select the Duo CA you added earlier.
   Signature Algorithm	SHA256 with RSA
   Subject	Paste in the Subject from the "Add a Configuration" section of the iOS instructions on the MobileIron Cloud management integration page in the Duo Admin Panel.
   Key Size	2048
   Use as digital signature	Check the box next to this option.

   Click Test Configuration and Continue after entering all the required information.

   

4. If the Duo CA and the configuration information is correct then you'll see the "Configuration test successful" page, which also shows you your Duo certificate information. Click Next to continue.

   If the configuration test fails, double-check that the information entered for the Duo CA was correct, and that your Connector registered successfully and has "On" status in the MobileIron admin portal.

5. On the last page of the "Create Identity Certificate Configuration" setup you can choose which devices receive the new Duo configuration. Enable the configuration by checking the Enable this configuration box, and then click the Custom option to select the device group that contains your managed iOS devices.

6. Click Done after selecting your iOS device groups for configuration distribution.

7. Repeat steps 2 through 7 again for each additional partition in the drop-down list on the "Configurations" page.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Finish Trusted Endpoints Deployment

Once your Ivanti Neurons managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the MobileIron Cloud trusted endpoint management integration in the Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this management integration only for members of a specified test group, or activate for all users. If you created more than one MobileIron Cloud integration, you must activate each one individually.

Duo Premier and Duo Advantage plans: The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.

Verify Your Setup

Users with Duo Mobile installed and activated for Duo Push on Android and iOS devices see a device trust dialog when authenticating to a protected resource via the Duo Prompt.

Duo uses the API access you granted in Ivanti Neurons to perform a permissions check to verify device information.

If Duo successfully verifies the device information using the MobileIron API access, and the user has Duo Mobile activated for Duo Push, then the user receives a login request on their phone.

On Android devices, approving the request grants access and returns the user to the protected application. On iOS devices, after approving the Duo authentication request users tap the top-left of the Duo Mobile app to return to the application and complete login. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.

If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.

With the legacy iOS certificate configuration, iOS users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.

Search for Device Identifiers

If you configured Duo Mobile for iOS with App Config or Android to determine device trust, you may want to search for specific device identifiers to verify that the identifier information for a given trusted device exists in Duo. This can be useful to verify a device you expect to be trusted was imported from Ivanti Neurons into Duo.

To search for a device identifier in Duo:

1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.

2. Locate the Ivanti Neurons or Ivanti Neurons with App Config device management integration you want to search for a device identifier in the list and click on it to view its details.

3. In the Check if devices have synced section, enter the identifier for the device you want to check and click Search.

4. A message appears indicating if the device identifier was either found or not found. If the device identifier is not found, check your Ivanti Neurons API configuration and wait 24 hours.

Use these instructions to find the device identifier to search in Ivanti Neurons.

1. Log in to the Ivanti Neurons administration page, navigate to Devices, and select a device to view.
2. Under "Overview", see "Settings".
3. The "Device Client ID" is the device identifier. Copy this value and use it to perform the search in Duo.

Removing the MobileIron Cloud Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing MobileIron Cloud integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in Ivanti Neurons.

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.