Documentation

Duo Trusted Endpoints - Ivanti Neurons for MDM (formerly known as MobileIron Cloud)

Last Updated: October 31st, 2024

Certificate-based Trusted Endpoint verification for Ivanti Neurons for MDM reached end-of-life on October 7, 2024. Duo device certificates will no longer renew after October 2024. Migrate existing iOS Certificate Configuration management integrations to iOS Configuration. Learn more about the end-of-life timeline and migration options in the Duo Trusted Endpoints Certificate Migration Guide.

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from trusted and untrusted devices, and optionally block access from devices not trusted by your organization.

Trusted Endpoints is part of the Duo Essentials, Duo Advantage, and Duo Premier plans.

Before enabling the Trusted Endpoints policy on your applications, you'll need to allow REST API access for Duo to your managed mobile devices. This guide walks you through Ivanti Neurons for MDM configuration for Android and iOS mobile devices.

These instructions are for the cloud-hosted Ivanti Neurons for MDM service, formerly known as MobileIron Cloud and Ivanti Secure UEM. If you are using Ivanti Endpoint Manager Mobile, see our instructions for the on-premises MDM instead.

Mobile Trusted Endpoints and Verified Duo Push: Trusted endpoint verification of iOS and Android devices with Duo Mobile uses the standard Duo Push approval process and will not prompt for a Duo Push verification code, even if the effective authentication methods policy for the user and application has "Verified Duo Push" enabled.

Prerequisites

Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
An Ivanti Neurons Secure UEM license
Access to the Ivanti Neurons for MDM admin portal as an administrator with the rights to create roles, accounts, certificate authorities, device profiles, and enroll devices.

Android Configuration

Duo determines trusted device status on Android devices using Duo Mobile installed and activated for Duo Push on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your Ivanti Neurons for MDM's API access.

You must have already configured Android Enterprise and Work Profiles in Ivanti Neurons for MDM.

Create the Ivanti Neurons for MDM Integration

Log in to the Duo Admin Panel and navigate to Devices → Trusted Endpoints.
If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
On the "Add Management Tools Integration" page, locate Ivanti Neurons for MDM in the list of "Device Management Tools" and click the Add this integration selector.
Choose Android from the "Recommended" options, and then click the Add button.

The new Ivanti Neurons for MDM integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Duo Ivanti Neurons for MDM management integration page to complete the Android configuration steps.

Configure Duo Mobile Distribution

Log on to the Ivanti Neurons for MDM admin portal as an administrator and click the Apps item on the left side of the page.
Click the Add button.
The default app catalog source may be set to the "iOS Store". Click the store drop-down list next to the search box and select the Google Play store from the list.
Once you've switched to the Google Play store, search for Duo Mobile, and then click on the Duo Mobile app shown in the search results.
Click the APPROVE button. You'll be shown the permissions needed by Duo Mobile. Click APPROVE again to accept these permissions.
Leave the "Approval Setting" for Duo Mobile set to the default option: "Keep approved when app requests new permissions." Click SAVE.
You'll return to the Duo Mobile application view, but now the app is "APPROVED". Click the Select button.
Make any desired app category selections or enter an optional description, and then click Next.
Since you already configured Android For Work (per the prerequisites), skip any further App Delegation and click Next.
Choose the user groups or individuals to whom you want to distribute Duo Mobile. Click Next.
Click the plus sign button to the right of Managed Configurations for Android to create a new configuration.
Give the configuration a unique name, such as "Duo Mobile Trusted Endpoint Config".
In the "Managed Configurations" section, locate the "Trusted Endpoint Identifier" field and enter ${deviceClientDeviceIdentifier} as the value.
Return to the Duo Admin Panel. Copy the Trusted Endpoints configuration key value (it will look similar to DPK0W0KLPJLOGSKHTDD) and paste it into the Ivanti Neurons for MDM Trusted Endpoints Configuration Key field.
Click Next and then click Done.

Create a Duo API Account

While still logged into Ivanti Neurons for MDM as an administrator, navigate to the Users page.
Click the Add button and choose API User on the pop-up menu.

Enter the following information on the "Basic" tab form:

Username	Enter the desired Duo account username.
First Name and Surname	Enter a first and last name for the Duo API user (e.g. "Duo" "Admin").
Email Address	This will be automatically populated with the Ivanti Neurons for MDM email address.
Password and Confirm Password	Enter and confirm a strong password for the Duo admin user.

Click the Done button to create the Duo API user.
Select the Duo API Admin user you just created by checking the box to the left of the username in the list of users. Click the Actions button and then click Append Roles. If you are viewing the details of the new Duo API user, click the Assign Roles icon underneath the user status information.
On the "Append Roles" or "Assign Roles to" page, check the boxes for the User Roles System Read Only (which also automatically includes "User Read Only") and Device Read Only. Click Next.
If you have additional spaces in your organization other than the "Default Space" make your appropriate selections from the available spaces and partitions for the "Device Read Only" role and then click Next.
Confirm your role and space selections and then click Done to assign the role privileges to the Duo API user.

Enter Ivanti Neurons Info in Duo

Return to the Duo Admin Panel. Enter the following information into the blank fields in the "API Details" section:

User Email Address	Enter the email address (which is also the username) of the Duo API user you created in Ivanti Neurons for MDM.
User Password	Enter the password for the Duo API user you created in Ivanti Neurons for MDM.
Ivanti Neurons for MDM Domain Name	Enter your organization's Ivanti Neurons domain. For example, `acmecorp.mobileiron.com`.

Click the Test Configuration button to verify Duo's API access to your Ivanti Neurons for MDM instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Ivanti Neurons for MDM configuration steps and entered the right information in the Duo Admin Panel.
After you successfully test your configuration, click the Save & Configure button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Verify Android Device Information with Search

After you configure the connection between Ivanti Neurons for MDM and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.

iOS Configuration

Duo determines trusted device status on iOS devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your Ivanti Neurons for MDM's API access.

Before proceeding, install the Apple MDM Certificate for Ivanti Neurons for MDM to manage iOS devices.

Create the Ivanti Neurons for MDM with App Config Integration

Log in to the Duo Admin Panel and navigate to Devices → Trusted Endpoints.
If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
On the "Add Management Tools Integration" page, locate Ivanti Neurons for MDM in the list of "Device Management Tools" and click the Add this integration selector.
Choose iOS from the "Recommended" options, and then click the Add button.

The new Ivanti Neurons for MDM with App Config integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Ivanti Neurons for MDM with App Config management integration page to complete the configuration steps.