Skip navigation
Documentation

Trusted Endpoints - MobileIron Core Managed Device Deployment

Last Updated: October 15th, 2021

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.

Trusted Endpoints is part of the Duo Beyond plan.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate or REST API access for Duo to your managed mobile devices. This guide walks you through MobileIron Core configuration for Android and iOS mobile devices.

These instructions are for the on-premises MobileIron Core software, version 9.3 and up. If you are using MobileIron Cloud, see our instructions for the cloud MDM instead.

Prerequisites

  • Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
  • Access to the MobileIron Core admin portal as an administrator with the rights to create roles, accounts, certificate authorities, and device profiles.

Android Configuration

Duo determines trusted device status on Android devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your MobileIron Core MDM's API access.

You must have already configured Android for Work in MobileIron Core.

Create the MobileIron Core Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Add Management Tools Integration" page, locate MobileIron Core in the listed integrations and click the Add this integration selector.
  4. Choose Android from the "Recommended" options, and then click the Add button.

The new MobileIron Core integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the MobileIron Core management integration page to complete the Android configuration steps.

Configure Duo Mobile Distribution

  1. Log on to the MobileIron Core admin portal as an administrator and navigate to AppsApp Catalog.

  2. Click Add+ and then click Google Play.

  3. Enter Duo Mobile and click Search. Click on the Duo Mobile row to select it, and then click Next.

  4. Edit the Duo Mobile app description and categories if you wish. Click Next.

  5. Enable the Install this app for Android for Work and By distributing this app you will accept the following permissions on behalf of users options for Duo Mobile.

  6. Scroll down to "Configuration Choices". In the "Default Configuration for Duo Mobile" section, locate the "Trusted Endpoint Identifier" field and enter $DEVICE_UUID$ as the value.

  7. Return to your MobileIron Core management integration page in the Duo Admin Panel.

  8. Copy the "Trusted Endpoints Configuration Key" value from the Android Configuration Instructions of your MobileIron Core management integration (it will look similar to DPK0W0KLPJLOGSKHTDD). Paste this in MobileIron as the Trusted Endpoints Configuration Key value.

  9. Click Finish to return to the App Catalog.

  10. Select the Duo Mobile app. Click ActionsApply to Labels. Select the labels that represent the user populations who will receive the Duo Mobile app.

  11. Click Apply.

Create a Duo API Account

  1. While still logged in to the MobileIron Core admin portal as an administrator, navigate to Devices & UsersUsers.

  2. Click the Add button and choose Add Local User on the pop-up menu.

  3. Enter the following information on the "Add New User" form:

    User ID Enter the desired Duo account username.
    First Name and Last Name Enter a first and last name for the Duo API user (e.g. "Duo" "Admin").
    Password and Confirm Password Enter and confirm a strong password for the Duo admin user.
    Email Address Enter an email address for the Duo admin user.

    Click the Done button to create the Duo admin user.

    New Duo Admin

  4. Navigate to AdminAdmins. Select the Duo Admin user you just created, click the Actions button, and then click Assign to Space.

  5. Select a space from the drop-down list, and then check the box for the View device page, device details role under "Device Management". Click Save

    Assign Space Admin Role to Duo User

  6. Repeat steps 4 and 5 for all available spaces that contain managed devices.

Enter MobileIron Core Info in Duo

  1. Return to your MobileIron Core management integration page in the Duo Admin Panel.

  2. Enter the following information into the blank fields under step 2 of the MobileIron Core "Android Configuration Instructions" section:

    Email Address Enter the email address (which is also the username) of the Duo admin user you created in MobileIron Core.
    Password Enter the password for the Duo admin user you created in MobileIron Core.
    Domain Name Enter your organization's MobileIron Core domain name. For example, acmecorp.mobileiron.com.
  3. Click the Test Configuration button to verify Duo's API access to your MobileIron Core instance. You'll receive a "Configuration Succesful!" message if everything's correct. If the test fails, verify that you completed the MobileIron Core configuration steps and entered the right information in the Duo Admin Panel.

  4. After you successfully test your configuration, click the Save & Configure Android Devices button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

iOS Configuration

Duo determines trusted device status on iOS devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your MobileIron Core MDM's API access.

Before proceeding, configure the Apple MDM Certificate for MobileIron Core (Ivanti support login required).

Create the MobileIron Core with App Config Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Add Management Tools Integration" page, locate MobileIron Core in the listed integrations and click the Add this integration selector.
  4. Choose iOS from the "Recommended" options, and then click the Add button.

The new MobileIron Core with App Config integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the MobileIron Core with App Config management integration page to complete the configuration steps.

Configure Duo Mobile Distribution

  1. Log on to the MobileIron Core admin portal as an administrator and navigate to AppsApp Catalog.

  2. Click Add+ and then click iTunes.

  3. Enter Duo Mobile as the application name and then click Search. Click on the Duo Mobile application row to select it, and then click Next.

  4. Edit the Duo Mobile app description and categories if you wish. Click Next when done.

  5. Enable the Allow conversion of app from unmanaged to managed option and then click Next.

  6. On the "App Configuration" screen, enable the following "Managed App Settings":

    • Send installation request or send convert unmanaged to managed app request (iOS 9 and later) on device registration or sign-in
    • Enforce conversion from unmanaged to managed app (iOS 9 or later)
  7. Return to your MobileIron Core with App Config management integration in the Duo Admin panel, and click the Download the App Config XML spec link. The downloaded app_config_spec.xml file will be needed to complete the "Managed App Configurations" section within MobileIron.

  8. In the "Managed App Configurations" in MobileIron Core, click Add+.

  9. Click Choose File and select the app_config_spec.xml file you downloaded from the Duo Admin Panel. Do not drag and drop the .xml file into MobileIron Core as this may cause upload errors.

    Once you upload the .xml spec file, the "MANAGED APP CONFIGURATIONS" information will show the Duo "trustedEndpointIdentifier" and "trustedEndpointConfigurationKey" keys and values.

  10. Click Add and then click Finish.

Create a Duo API Account

  1. While still logged in to the MobileIron Core admin portal as an administrator, navigate to Devices & UsersUsers.

  2. Click the Add button and choose Add Local User on the pop-up menu.

  3. Enter the following information on the "Add New User" form:

    User ID Enter the desired Duo account username.
    First Name and Last Name Enter a first and last name for the Duo API user (e.g. "Duo" "Admin").
    Password and Confirm Password Enter and confirm a strong password for the Duo admin user.
    Email Address Enter an email address for the Duo admin user.

    Click the Done button to create the Duo admin user.

    New Duo Admin

  4. Navigate to AdminAdmins. Select the Duo Admin user you just created, click the Actions button, and then click Assign to Space.

  5. Select a space from the drop-down list, and then check the box for the View device page, device details role under "Device Management". Click Save

    Assign Space Admin Role to Duo User

  6. Repeat steps 4 and 5 for all available spaces that contain managed devices.

Enter MobileIron Core Info in Duo

  1. Return to your MobileIron Core management integration page in the Duo Admin Panel.

  2. Enter the following information into the blank fields under step 2 of the MobileIron Core "Android Configuration Instructions" section:

    Email Address Enter the email address (which is also the username) of the Duo admin user you created in MobileIron Core.
    Password Enter the password for the Duo admin user you created in MobileIron Core.
    Domain Name Enter your organization's MobileIron Core domain name. For example, acmecorp.mobileiron.com.
  3. Click the Test Configuration button to verify Duo's API access to your MobileIron Core instance. You'll receive a "Configuration Succesful!" message if everything's correct. If the test fails, verify that you completed the MobileIron Core configuration steps and entered the right information in the Duo Admin Panel.

  4. After you successfully test your configuration, click the Save & Configure Android Devices button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

iOS Certificate Configuration

New MobileIron Core certificate deployment management integrations may no longer be created as of October 2021. Consider migrating your certificate-based iOS MobileIron Core integration to MobileIron Core with App Config.

These instructions remain available for customers who created these integrations before October 2021 and may need to reconfigure them. Duo continues to support existing MobileIron Core iOS certificate deployments and will do so until the integration reaches end-of-life status, planned for the second half of 2022.

Duo verifies the trusted status of iOS devices by checking for the presence of a Duo device certificate. You'll use MobileIron Core to push the Duo CA information to your mobile devices so they can obtain a Duo certificate.

Create the MobileIron Core Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Add Management Tools Integration" page, locate MobileIron Core in the listed integrations and click the Add this integration selector.
  4. Choose Certs for iOS from the "Legacy" options, and then click the Add button.

The new MobileIron Core integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the MobileIron Core management integration page to complete the iOS configuration steps.

Add the Duo Certificate Authority

  1. In the MobileIron Core admin portal, navigate to Policies & ConfigsConfigurations.

  2. Go to Add NewCertificate EnrollmentSCEP.

    under the "Add an External Certificate Authority" option on the "Add Certificate Authority" page.

  3. Enter the Duo Certificate Authority (CA) information from step 2 of the iOS Configuration Instructions on the MobileIron Core management integration page in the Duo Admin Panel into the "New SCEP Certificate Enrollment Setting" form as follows:

    Name Enter a descriptive name, like "Duo CA".
    Description Enter optional descriptive information about the Duo CA.
    Device Certificate Retrieval Decentralized
    Certificate Type User Certificate
    URL Paste in the SCEP URL from the "Add an External Certificate Authority (CA)" section of the iOS instructions on the MobileIron Core management integration page in the Duo Admin Panel.
    Subject Paste in the Subject from the "Add an External Certificate Authority (CA)" section of the iOS instructions on the MobileIron Core management integration page in the Duo Admin Panel.
    Key Type RSA
    Key Length 2048
    CSR Signature Algorithm SHA256
    Challenge Type Microsoft SCEP
    Challenge URL Paste in the Challenge URLt from the "Add an External Certificate Authority (CA)" section of the iOS instructions on the MobileIron Core management integration page in the Duo Admin Panel.
    Username Paste in the Username from the "Add an External Certificate Authority (CA)" section of the iOS instructions on the MobileIron Core management integration page in the Duo Admin Panel.
    Password Paste in the Password from the "Add an External Certificate Authority (CA)" section of the iOS instructions on the MobileIron Core management integration page in the Duo Admin Panel.

    Click Issue Test Certificate after entering all the required information. If MobileIron is able to issue a Duo certificate successfully, click OK on the certificate page and then click Save to finish creating the Duo CA. If you receive a warning message about certificate caching, click Yes to proceed.

    Add Duo CA

Apply the Duo CA Configuration

  1. While still on the "Configurations" page, select the Duo CA you just created and click ActionsApply to Label.

  2. Select the device labels that include the iOS devices to which you want to issue Duo endpoint certificates.

  3. Click Apply after selecting your iOS device groups for configuration distribution to queue the update.

    Add Duo CA

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Finish Trusted Endpoints Deployment

Once your MobileIron Core managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the MobileIron Core trusted endpoint management integration in the Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this management integration only for members of a specified test group or groups, or activate for all users. If you created more than one MobileIron Core integration, you must activate each one individually.

Enable Trusted Endpoints Management Integration

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.

Verify Your Setup

Users with Duo Mobile installed and activated for Duo Push on Android and iOS devices see a device trust dialog when authenticating to a protected resource via the Duo Prompt.

iOS Trusted Endpoint Inline Verification - Step 1

Duo uses the API access you granted in MobileIron to perform a permissions check to verify device information.

iOS Trusted Endpoint Verification - Step 2

If Duo successfully verifies the device information using the MobileIron API access, and the user has Duo Mobile activated for Duo Push, then the user receives a login request on their phone.

iOS Trusted Endpoint Verification - Step 3

On Android devices, approving the request grants access and returns the user to the protected application. On iOS devices, after approving the Duo authentication request users tap the top-left of the Duo Mobile app to return to the application and complete login. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.

iOS Trusted Endpoint Verification - Step 4

If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.

With the legacy iOS certificate configuration, iOS users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.

Removing the MobileIron Core Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing MobileIron Core integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in MobileIron Core.

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.