Duo Trusted Endpoints - Ivanti Endpoint Manager Mobile (formerly known as MobileIron Core)

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from trusted and untrusted devices, and optionally block access from devices not trusted by your organization.

Trusted Endpoints is part of the Duo Essentials, Duo Advantage, and Duo Premier plans.

Before enabling the Trusted Endpoints policy on your applications, you'll need to allow REST API access for Duo to your managed mobile devices. This guide walks you through Ivanti Endpoint Manager Mobile configuration for Android and iOS mobile devices.

These instructions are for the on-premises Ivanti Endpoint Manager Mobile software, version 11.8 and up. This integration may also work for MobileIron Core software 9.3 to 11.6, but navigation steps and input label may differ. If you are using Ivanti Neurons for MDM (formerly known as MobileIron Cloud and Ivanti Secure UEM), see our instructions for Ivanti Neurons for MDM instead.

Prerequisites

• Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
• Access to the Ivanti Endpoint Manager Mobile admin portal as an administrator with the rights to create roles, accounts, certificate authorities, device profiles, and register Android and iOS devices.

Android Configuration

Duo determines trusted device status on Android devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your Ivanti Endpoint Manager Mobile MDM's API access.

You must have already configured Android for Work in Ivanti Endpoint Manager Mobile.

Create the Ivanti Endpoint Manager Mobile Integration

1. Log in to the Duo Admin Panel and navigate to Devices → Trusted Endpoints.
2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
3. On the "Add Management Tools Integration" page, locate Ivanti Endpoint Manager Mobile in the list of "Device Management Tools" and click the Add this integration selector.
4. Choose Android from the "Recommended" options, and then click the Add button.

The new Ivanti Endpoint Manager Mobile integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Ivanti Endpoint Manager Mobile management integration page to complete the Android configuration steps.

Configure Duo Mobile Distribution

1. Log on to the Ivanti Endpoint Manager Mobile admin portal as an administrator and navigate to Apps → App Catalog.

2. Click Add+ and then click Google Play.

3. In the "Application Name" field, enter in Duo Mobile, and then click Search. Select Duo Mobile and click Next.

4. Edit the Duo Mobile app description and categories if you wish. Click Next.

5. Enable the Install this app for Android for Work and By distributing this app you will accept the following permissions on behalf of users options for Duo Mobile.

6. Scroll down to "Configuration Choices". Locate the "Default Configuration" section and click on it to expand.

7. Enter $DEVICE_UUID$ into the "Trusted Endpoint Identifier" field.

8. Return to the Duo Admin Panel. Copy the Trusted Endpoints configuration key (it will look similar to DPK0W0KLPJLOGSKHTDD) and paste it into the Ivanti Endpoint Manager Mobile Trusted Endpoints Configuration Key field.

9. Click Finish to return to the App Catalog.

10. Select the Duo Mobile app. Click Actions → Apply to Labels. Select the labels that represent the user populations who will receive the Duo Mobile app.

11. Click Apply.

Create a Duo API Account

1. While still logged in to the Ivanti Endpoint Manager Mobile admin portal as an administrator, navigate to Devices & Users → Users.

2. Click the Add button and choose Add Local User on the pop-up menu.

3. Enter the following information on the "Add New User" form:

   User ID	Enter the desired Duo account username.
   First Name and Last Name	Enter a first and last name for the Duo API user (e.g. "Duo" "Admin").
   Password and Confirm Password	Enter and confirm a strong password for the Duo admin user.
   Email Address	Enter an email address for the Duo admin user.

4. Click the Save button to create the Duo admin user.

   

5. Navigate to Admin → Admins. Select the Duo Admin user you just created, click the Actions button, and then click Assign to Space.

6. Select a space from the "Select Space" drop-down list, and then check the box for the View device page, device details role under "Device Management". Click Save.

   

7. Repeat steps 5 and 6 for all available spaces that contain managed devices.

Modify Firewall Rules for Duo

If you are using an on-premises installation of Ivanti Endpoint Manager Mobile, you may need to modify your firewall rules so that Ivanti Endpoint Manager Mobile APIs can communicate with Duo's service.

Use the IP ranges shown under the "Add a Firewall Rule" section on the  Ivanti Endpoint Manager Mobile management integration page in the Duo Admin Panel when updating your firewall rules and verifying connectivity.

Enter Ivanti Endpoint Manager Mobile Info in Duo

1. Return to the Duo Admin Panel. Enter the following information into the blank fields in the "Enter API Details" section:

   Local User Email Address	Enter the email address (which is also the username) of the Duo admin user you created in Ivanti Endpoint Manager Mobile.
   Local User Email Password	Enter the password for the Duo admin user you created in Ivanti Endpoint Manager Mobile.
   Ivanti Endpoint Manager Mobile Domain Name	Enter your organization's Ivanti Endpoint Manager Mobile domain name. For example, acmecorp.mobileiron.com.

2. Click the Test Configuration button to verify Duo's API access to your Ivanti Endpoint Manager Mobile instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Ivanti Endpoint Manager Mobile configuration steps and entered the right information in the Duo Admin Panel.

3. After you successfully test your configuration, click the Save & Configure button.

At this point, the configured integration is disabled and applies to no users until you finish your deployment.

Verify Android Device Information with Search

After you configure the connection between Ivanti Endpoint Manager Mobile and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.

iOS Configuration

Duo determines trusted device status on iOS devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your Ivanti Endpoint Manager Mobile MDM's API access.

Before proceeding, configure the TLS trust certificate chain for mobile management for Ivanti Endpoint Manager Mobile.

Create the Ivanti Endpoint Manager Mobile with App Config Integration

1. Log in to the Duo Admin Panel and navigate to Devices → Trusted Endpoints.
2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
3. On the "Add Management Tools Integration" page, locate Ivanti Endpoint Manager Mobile in the list of "Device Management Tools" and click the Add this integration selector.
4. Choose iOS from the "Recommended" options, and then click the Add button.

The new Ivanti Endpoint Manager Mobile with App Config integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Ivanti Endpoint Manager Mobile with App Config management integration page to complete the configuration steps.

Configure Duo Mobile Distribution

1. Log on to the Ivanti Endpoint Manager Mobile admin portal as an administrator and navigate to Apps → App Catalog.

2. Click Add+ and then click iTunes.

3. In the "Application Name" field, enter in Duo Mobile, and then click Search. Select Duo Mobile and click Next.

4. Edit the Duo Mobile app description and categories if you wish. Click Next.

5. Optionally pick a category, then click Next.

6. On the "App Configuration" screen, enable the following "Managed App Settings":

   • Send installation request or send convert unmanaged to managed app request (iOS 9 and later) on device registration or sign-in
   • Enforce conversion from unmanaged to managed app (iOS 9 or later)

7. Return to the Duo Admin Panel. Click the Download the App Config XML spec link. The downloaded app_config_spec.xml file will be needed to complete the "Managed App Configurations" section within Ivanti Endpoint Manager Mobile.

8. In Ivanti Endpoint Manager Mobile under the "Managed App Configurations" section, click Add+.

9. Click Choose File and select the app_config_spec.xml file you downloaded from the Duo Admin Panel. Do not drag and drop the .xml file into Ivanti Endpoint Manager Mobile as this may cause upload errors.

   Once you upload the .xml spec file, the "MANAGED APP CONFIGURATIONS" information will show the Duo "trustedEndpointIdentifier" and "trustedEndpointConfigurationKey" keys and values.

10. Click Add and then click Finish.

11. Return to the App Catalog. Select the Duo Mobile app. Click Actions → Apply to Labels. Select the labels that represent the user populations who will receive the Duo Mobile app.

12. Click Apply.

Create a Duo API Account

1. While still logged in to the Ivanti Endpoint Manager Mobile admin portal as an administrator, navigate to Devices & Users → Users.

2. Click the Add button and choose Add Local User on the pop-up menu.

3. Enter the following information on the "Add New User" form:

   User ID	Enter the desired Duo account username.
   First Name and Last Name	Enter a first and last name for the Duo API user (e.g. "Duo" "Admin").
   Password and Confirm Password	Enter and confirm a strong password for the Duo admin user.
   Email Address	Enter an email address for the Duo admin user.

4. Click the Done button to create the Duo admin user.

   

5. Navigate to Admin → Admins. Select the Duo Admin user you just created, click the Actions button, and then click Assign to Space.

6. Select a space from the "Select Space" drop-down list, and then check the box for the View device page, device details role under "Device Management". Click Save.

   

7. Repeat steps 5 and 6 for all available spaces that contain managed devices.

Enter Ivanti Endpoint Manager Mobile Info in Duo

1. Return to the Duo Admin Panel. Enter the following information into the blank fields in the "Enter API Details" section:

   Local User Email Address	Enter the email address (which is also the username) of the Duo admin user you created in Ivanti Endpoint Manager Mobile.
   Local User Email Password	Enter the password for the Duo admin user you created in Ivanti Endpoint Manager Mobile.
   Ivanti Endpoint Manager Mobile Domain Name	Enter your organization's Ivanti Endpoint Manager Mobile domain name. For example, acmecorp.mobileiron.com.

2. Click the Test Configuration button to verify Duo's API access to your Ivanti Endpoint Manager Mobile instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Ivanti Endpoint Manager Mobile configuration steps and entered the right information in the Duo Admin Panel.

3. After you successfully test your configuration, click the Save & Configure button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Verify iOS Device Information with Search

After you configure the connection between Ivanti Endpoint Manager Mobile and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.

iOS Certificate Configuration

End of Life Information

New Ivanti Endpoint Manager Mobile (formerly known as MobileIron Core) certificate deployment management integrations may no longer be created as of October 2021, and reached end of life on October 7. 2024. Duo device certificates will no longer renew after October 2024. You must migrate your certificate-based iOS Ivanti Endpoint Manager Mobile integration to Ivanti Endpoint Manager Mobile with App Config. See the Duo Knowledge Base article Guide to updating Trusted Endpoints iOS integrations from certificates to AppConfig for more information about migrating your iOS certificate-based management integrations to App Config.

Use of the Duo Desktop for trust attestation provides several advantages over the use of device certificates:

• It provides a more accurate assessment of your managed devices, and removes concerns about long-lived certificates present on devices no longer managed by your organization.
• It extends support to Firefox users. Trusted Endpoint certificate detection only works with Chrome, Edge, Safari, and Internet Explorer (depending on the management system).
• Improves trust detection for web browsers and thick client applications.

See the Duo Trusted Endpoints Certificate Migration Guide for more information..

Finish Trusted Endpoints Deployment

Once your Ivanti Endpoint Manager Mobile managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the Ivanti Endpoint Manager Mobile trusted endpoint management integration in the Duo Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this management integration only for members of a specified test group, or activate for all users. If you created more than one Ivanti Endpoint Manager Mobile integration, you must activate each one individually.

Duo Premier and Duo Advantage plans: The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.

Verify Your Setup

Users with Duo Mobile installed and activated for Duo Push on Android and iOS devices see a device trust dialog when authenticating to a protected resource via the Duo Prompt.

Duo uses the API access you granted in Ivanti Endpoint Manager Mobile to perform a permissions check to verify device information.

If Duo successfully verifies the device information using the Ivanti Endpoint Manager Mobile API access, and the user has Duo Mobile activated for Duo Push, then the user receives a login request on their phone.

On Android devices, approving the request grants access and returns the user to the protected application. On iOS devices, after approving the Duo authentication request users tap the top-left of the Duo Mobile app to return to the application and complete login. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.

If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.

Search for Device Identifiers

If you configured Duo Mobile for iOS with App Config or Android to determine device trust, you may want to search for specific device identifiers to verify that the identifier information for a given trusted device exists in Duo. This can be useful to verify a device you expect to be trusted was imported from Ivanti Endpoint Manager Mobile into Duo.

To search for a device identifier in Duo:

1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.

2. Locate the Ivanti Endpoint Manager Mobile or Ivanti Endpoint Manager Mobile with App Config device management integration you want to search for a device identifier in the list and click on it to view its details.

3. In the "Check if devices have synced" section, enter the identifier for the device you want to check and click Search.

4. A message appears indicating if the device identifier was either found or not found. If the device identifier is not found, check your Ivanti Endpoint Manager Mobile API configuration and wait 24 hours.

Use these instructions to find the device identifier to search in Ivanti Endpoint Manager Mobile.

1. Log in to the Ivanti Endpoint Manager Mobile admin portal, navigate to Devices & Users, and expand a device to view.
2. Under "Device Details", see "Device UUID".
3. The "Device UUID" is the device identifier. Copy this value and use it to perform the search in Duo.

Removing the Ivanti Endpoint Manager Mobile Management Integration

Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Ivanti Endpoint Manager Mobile integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in Ivanti Endpoint Manager Mobile.

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.