Skip navigation
Documentation

Trusted Endpoints - MobileIron Cloud Managed Device Deployment

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate or REST API access for Duo to your managed mobile devices. This guide walks you through MobileIron Cloud configuration for Android and iOS mobile devices.

These instructions are for the cloud-hosted MobileIron Cloud service. If you are using MobileIron Core, see our instructions for the on-premises MDM instead.

Prerequisites

  • Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
  • Access to the MobileIron Cloud admin portal as an administrator with the rights to create roles, accounts, certificate authorities, and device profiles.

Create the MobileIron Cloud Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints Configuration.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Select Management Tools Integration" page, locate MobileIron Cloud in the listed integrations and click the Select this integration link to the right.

The new MobileIron Cloud integration is created in the "Off" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the MobileIron Cloud management integration page to complete the Android and/or iOS configuration steps.

Android Configuration

Duo determines trusted device status on Android devices by leveraging the installed Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your MobileIron Cloud MDM's API access.

Create a Duo API Account

  1. Log on to the MobileIron Cloud admin portal as an administrator and navigate to the Users page.

  2. Click the Add button and choose API User on the pop-up menu.

  3. Enter the following information on the "Basic" tab form:

    Username Enter the desired Duo account username.
    First Name and Last Name Enter a first and last name for the Duo API user (e.g. "Duo" "Admin").
    Email Address This will be automatically populated with the MobileIron username email address.
    Password and Confirm Password Enter and confirm a strong password for the Duo admin user.

    Click the Done button to create the Duo API user.

    New Duo API Admin

  4. Click on the Duo API Admin user you just created to view that user account's properties. On the page for the API account, click the Actions button and then click Assign Roles.

  5. Check the boxes for the Helpdesk Roles System Read Only (which also automatically includes "User Read Only") and Device Read Only for all available partitions.

    New Duo API Admin - Roles

  6. Click Done to assign the role privileges to the Duo API user.

Enter MobileIron Cloud Info in Duo

  1. Return to your MobileIron Cloud management integration page in the Duo Admin Panel.

  2. Enter the following information into the blank fields under step 2 of the MobileIron Cloud "Android Configuration Instructions" section:

    Email Address Enter the email address (which is also the username) of the Duo API user you created in MobileIron Cloud.
    Password Enter the password for the Duo API user you created in MobileIron Cloud.
    Domain Name Enter your organization's MobileIron Cloud domain. For example, acmecorp.mobileiron.com.
  3. Click the Test Configuration button to verify Duo's API access to your MobileIron Cloud instance. You'll receive a "Configuration Succesful!" message if everything's correct. If the test fails, verify that you completed the MobileIron Cloud configuration steps and entered the right information in the Duo Admin Panel.

  4. After you successfully test your configuration, click the Save & Configure Android Devices button.

iOS Configuration

Duo verifies the trusted status of iOS devices by checking for the presence of a Duo device certificate. You'll use MobileIron Cloud to push the Duo CA information to your mobile devices so they can obtain a Duo certificate.

Set Up the Cloud Connector

  1. Log on to the MobileIron Cloud admin portal as an administrator and navigate to AdminConnectors. Click Download the Connector to obtain the Cloud Connector installation ISO.

  2. Deploy the MobileIron Cloud Connector in your on-premises VMWare environment, following the setup instructions in the Connector Installation Guide.

  3. Ensure that your Connector successfully registered with your MobileIron Cloud tenant and has green online status on the Connectors page in the MobileIron admin portal before continuing on with the Duo CA configuration.

    Registered Online Cloud Connector

Add the Duo Certificate Authority

  1. In the MobileIron Cloud admin portal, navigate to AdminCertificate Authority and click the Add button.

  2. Click the Continue button under the "Add an External Certificate Authority" option on the "Add Certificate Authority" page.

  3. Enter the Duo Certificate Authority (CA) information from step 2 of the iOS Configuration Instructions on the MobileIron Cloud management integration page in the Duo Admin Panel as follows:

    Name Enter a descriptive name, like "Duo CA".
    Certificate Authority Type Microsoft
    SCEP URL Paste in the SCEP URL from the "Add an External Certificate Authority (CA)" section of the iOS instructions on the MobileIron Cloud management integration page in the Duo Admin Panel.
    Username Paste in the Username from the "Add an External Certificate Authority (CA)" section of the iOS instructions on the MobileIron Cloud management integration page in the Duo Admin Panel.
    Password Paste in the Password from the "Add an External Certificate Authority (CA)" section of the iOS instructions on the MobileIron Cloud management integration page in the Duo Admin Panel.
    Challenge URL Paste in the Challenge URL from the "Add an External Certificate Authority (CA)" section of the iOS instructions on the MobileIron Cloud management integration page in the Duo Admin Panel.

    Click Save after entering all the required information to move to the next steps of adding an identity certificate configuration.

    Add Duo CA

Add an Identity Certificate Configuration

  1. Go to the Configurations page using the top navigation. With the Default Partition selected in the far left drop-down menu, click the Add button.

  2. Locate the Identity Certificate configuration type and click it to begin adding the new Duo configuration.

  3. Enter the Identity Certificate configuration information from the MobileIron Cloud management integration page in the Duo Admin Panel as follows:

    Name Enter a descriptive name, like "Duo Trusted Endpoints".
    Description Enter additional information about this new configuration, if desired.
    Certificate Distribution Dynamically Generated.
    Source Select the Duo CA you added earlier.
    Signature Algorithm SHA256 with RSA
    Subject Paste in the Subject from the "Add a Configuration" section of the iOS instructions on the MobileIron Cloud management integration page in the Duo Admin Panel.
    Key Size 2048
    Use as digital signature Check the box next to this option.

    Click Test Configuration and Continue after entering all the required information.

    Add Duo Identity Configuration

  4. If the Duo CA and the configuration information is correct then you'll see the "Configuration test successful" page, which also shows you your Duo certificate information. Click Next to continue.

    If the configuration test fails, double-check that the information entered for the Duo CA was correct, and that your Connector registered successfully and has "On" status in the MobileIron admin portal.

  5. On the last page of the "Create Identity Certificate Configuration" setup you can choose which devices receive the new Duo configuration. Enable the configuration by checking the Enable this configuration box, and then click the Custom option to select the device group that contains your managed iOS devices.

  6. Click Done after selecting your iOS device groups for configuration distribution.

  7. Repeat steps 2 through 7 again for each additional partition in the drop-down list on the "Configurations" page.

Finish Trusted Endpoints Deployment

Once your MobileIron Cloud managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the MobileIron Cloud trusted endpoint management integration in the Admin Panel and activate it either by changing the selection at the top of the page from "Off" to "On" (to immediately apply this to all your Duo users), or select "Test" and pick a target Duo group to verify your setup against a subset of users.

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.

Verify Your Setup

Users on Android devices see a prompt to "check your permissions" when authenticating to a protected resource via the Duo Prompt.

Android Trusted Endpoint Verification - Step 1

Duo uses the API access you granted in MobileIron Cloud to verify device information.

Android Trusted Endpoint Verification - Step 2

If Duo successfully verifies the device information using the MobileIron Cloud API access then the user receives access to the protected application.

Android Trusted Endpoint Verification Failed

iOS users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.

Removing the MobileIron Cloud Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing MobileIron Cloud integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in MobileIron Cloud.

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free