Generate a new Local CA

1. Open the MobileIron VSP Admin Portal.
2. Select Settings and open Local CA.
3. Press Add New and select Generate Self-Signed Cert.

   

   • Local CA Name: Enter a name based on your preference.
   • Key Length: Select 2048.
   • Issuer Name: Enter a name based on your preference, but it must start with CN=.
4. Click Generate.

   

5. Then click Save.
6. Click View Certificate on the new CA.
7. Copy the certificate to a new text file and save to the desktop.

Create a new SCEP

1. Open the MobileIron VSP Admin Portal.
2. Select Policies & Configs and open Configuration.
3. Press Add New and select SCEP.

   

   • Name: Enter a name based on your preference.
   • Setting Type: Select Local.
   • Local CAs: Name of the CA created in "Generate a new Local CA".
   • Subject: Enter a name based on your preference (e.g. CN=tunneling) but it must start with CN=..
   • Key Size: Select the same value you selected when generating the CA. In this case, select 2048.
4. Click Save.

Add and Configure the Sentry

1. Still within the MobileIron VSP Admin Portal, select Settings open Sentry.
2. Press Add New and select Standalone Sentry.

   

   • Sentry Host Name/IP: The DNS name your sentry is installed on. It must be reachable via the MobileIron VSP.
   • Sentry Port: The port open for connection via the MobileIron VSP (default is 9090).
   • Enable App Tunneling: Mark the checkbox.
   • Device Authentication: Select Identity Certificate.
3. Click Upload Certificate.
4. Browse and select the text file you saved to desktop in "Generate a new local CA".
5. Click Upload Certificate.

App Tunneling Configuration

In this section you setup Services to map to Files Advanced Gateway servers. The management server does not support Kerberos Constrained Delegation however you can enroll using the Gateway that is installed on the same machine as the management server. That is the configuration that should be used to support enrollment using Kerberos Constrained Delegation.

• Service Name: Enter a name based on your preference.
• Server Auth: Select Pass Through. This will be changed in a later part of this guide.
• Server List: Semi-colon separated list of servers. For this document we will use a single server. That will be the DNS address of the Files Advanced Gateway server and the port it is listening on.
• TLS Enabled: Mark the checkbox.

Click Save.

Click "View Certificate" on the new Sentry entry. This tests the connection between the VSP and Sentry. If you can’t get the certificate check the connections and ports between the VSP and Sentry. Do not proceed until this works.