Using the internal IBM MaaS360 Certificate for gateway authentication

Mobile Enterprise Gateway (MEG) provides a new type of authentication, IBM® MaaS360® Certificate, that allows a device to use an internal device identity certificate to authenticate with the gateway.

From the version 2.91 and later, you do not need to enter credentials to authenticate a device to the gateway when you use the IBM MaaS360 Certificate authentication type. For authentication to the gateway, a device sends its device identity certificate and user identity. Mobile Enterprise Gateway (MEG) validates the provided device identity certificate and verifies that the user exists in the configured user registry. User identity is stored and used downstream when required.

User identity that is provided by the device is the same identity that is used during device enrollment. When Mobile Enterprise Gateway (MEG) verifies the user, this identity is used to map to an attribute in the user registry. For Active Directory, the attribute must be the samaccountname. For LDAP, the attribute is specified as User Search Attribute in the Cloud Extender® Configuration Tool.
Note: The IBM MaaS360 Certificate is supported on iOS 3.2.2+ and Android 5.85+ devices.

Enabling the IBM MaaS360 Certificate in a WorkPlace Persona policy

  1. From the IBM MaaS360 Portal home page, select Security > Policies > Add Policy.
  2. Create a new WorkPlace Persona policy. For example, MaaS360-Certificate-Auth.
  3. From the Services section, enable the Browser checkbox.
  4. From the Enterprise Gateway section, go to Authentication Settings, and select MaaS360 Certificate from the Authentication Type for Gateway list.
  5. From the Browser section, go to Enterprise Gateway, and select the Enable MaaS360 Gateway for Internet Access checkbox.
  6. Select the Default Enterprise Gateway that you want to authenticate with.
  7. Save and publish the policy.
  8. Enroll or assign the policy to a device, and then wait until you receive a notification that the new certificate is pushed to the device.
  9. After the device is enrolled, make sure that the device is using the policy.
    1. On the device, go to My Device and check for the MaaS360-Certificate-Auth Persona policy.
    2. Make sure that the device is not already connected to an enterprise gateway.
    3. Attempt to connect to the enterprise gateway by using the MaaS360 Browser without your credentials.
    4. Go to Settings > Connected Gateways to view the connection details.