Using the internal MaaS360 Certificate for gateway authentication

Mobile Enterprise Gateway (MEG) provides a new type of authentication, MaaS360® Certificate, that allows a device to use an internal device identity certificate to authenticate with the gateway.

For the 2.91 release and later, you do not need to provide credentials to authenticate a device to the gateway when you use the MaaS360 Certificate authentication type. For authentication to the gateway, a device sends its device identity certificate and user identity. Mobile Enterprise Gateway (MEG) validates the provided device identity certificate and verifies that the user exists in the configured user registry. User identity is stored and used downstream when required.

User identity provided by the device is the same identity that is used during device enrollment. When Mobile Enterprise Gateway (MEG) verifies the user, this identity is used to map to an attribute in the user registry. For Active Directory, the attribute must be the samaccountname. For LDAP, the attribute is specified as User Search Attribute in the Cloud Extender® Configuration Tool.

Note: The MaaS360 Certificate is supported on iOS 3.2.2+ and Android 5.85+ devices.

Enabling the MaaS360 Certificate in a WorkPlace Persona policy

  1. From the IBM® MaaS360 Portal Home page, select Security > Policies > Add Policy.
    MaaS360 Certificate setting
  2. Create a new WorkPlace Persona policy. For example, MaaS360-Certificate-Auth.
    WorkPlace Persona policy
  3. From the Services section, enable the Browser.
    Configure Services window
  4. From the Enterprise Gateway section, go to Authentication Settings, and then select MaaS360 Certificate from the Authentication Type Gateway list.
    Authentication Settings window
  5. From the Browser section, go to Enterprise Gateway, and then select the Enable MaaS360 Gateway for Internet Access check box.
    Enterprise Gateway settings window
  6. Select the default enterprise gateway that you want to authenticate with.
  7. Save and publish the policy.
  8. Enroll or assign the policy to a device, and then wait until you receive a notification that the new certificate is pushed to the device.
  9. After the device is enrolled, make sure that the device is using the policy.
    1. On the device, go to My Device and check for the MaaS360-Certificate-Auth Persona policy.
    2. Make sure that the device is not already connected to an enterprise gateway.
    3. Attempt to connect to the enterprise gateway by using the Secure Browser without your credentials.
    4. Go to Settings > Connected Gateways to view the connection details.