Mobile Device Management Support via SCEP
The IDMS can be configured to work with a Mobile Device Management (MDM) system to facilitate the device verification and certificate distribution phase. With the MDM support, IdExchange is able to retrieve the user's device information directly from the MDM in order to automate the registration process. Finally, when the user has been approved for issuance, the MDM can directly issue a credential to the device without requiring any additional interaction from the user.
General Architecture
The MDM is hosted in a cloud environment and has direct access to the mobile device. The IDMS connects only to the MDM in order to obtain device information and to instruct the MDM to generate a credential on the device.
Device Verification
The IDMS can use the MDM to automated the registration for a user and their device. IDMS will look up the user’s device information. The security officer can then approve this device for a derived credential. The benefits of this approach is that the device information is retrieved from an authoritative source and the user does not have to manually enter any information during the registration phase.
How Device registration and verification works
| Step Number | Description |
|---|---|
| 1 | Using the self-service portal or via a search conducted by the security official, the user's email address is retrieved and sent to the MDM. |
| 2 | The MDM looks up the user's device information based on their email address. |
| 3 | The MDM returns to the device information to the IDMS. |
| 4 | The IDMS inspects the device information, validates it, and then presents it to the screen. |
| 5 | The user can choose to register this device and create a derived credential request. Later in the workflow, the security official can approve this request. |
Certificate Distribution
For certificate delivery, IDMS supports the simple certificate enrollment protocol (SCEP) to provide a standard way for MDM vendors to request and deploy certificates to the devices under their control.
Architecture components
Microservice: This service provides an interface for the MDM to contact. It will receive the request and then route it to the IDMS. The reason the Microservice is separate is to allow provide security segmentation between the components. This Microservice only listens to requests and forwards them to the IDMS. It is not connected to any other systems.
IDMS: The IDMS is the core system that will connect to the other credentialing systems such as active directory, HID credential management system, databases, and certificate authorities. The IDMS also connects to the MDM in order to retrieve device information to accelerate the device verification process.
How the device obtains a certificate with the MDM
| 1 | The user creates a request and the security official approves the request. IDMS then assigns the device to the derived credential profile. |
| 2 | MDM reads the profile configuration, works with the mobile device to create a SCEP request. |
| 3 | MDM sends SCEP request to the IdExchange Microservice |
| 4 | IdExchange Microservice forwards to the SCEP request to the IdExchange Server. The request is verified and is routed to the to CA. |
| 5 | The CA generates the request and returns it to the IdExchange Server. The IdExchange server then returns the certificate to the IdExchange microservice. |
| 6 | MDM/Device receives the certificate |
| 7 | Certificate is available on the device for security operations. |