Mobile Device Management or single sign-on only

This topic describes the differences between using CyberArk Identity for Mobile Device Management (MDM) or single sign-on only.

To present a cleaner and more intuitive user experience, MDM settings are only available on your tenant if you are currently using them or if you requested them from your account representative. Refer to the following table for expected behavior if you change your MDM tenant setting.

MDM entitlement change	Behavior
No > Yes	All new devices are enrolled in MDM by default, unless you change the policy setting for that user. Existing devices have to be re-enrolled for MDM; it does not happen automatically.
Yes > No	MDM policy settings are hidden in the Identity Administration portal. Existing devices remain enrolled in MDM until they are re-enrolled.

MDM entitlement change

Behavior

No > Yes

All new devices are enrolled in MDM by default, unless you change the policy setting for that user.

Existing devices have to be re-enrolled for MDM; it does not happen automatically.

Yes > No

MDM policy settings are hidden in the Identity Administration portal. Existing devices remain enrolled in MDM until they are re-enrolled.

The following policy settings are hidden from the Identity Administration portal if MDM is disabled on your tenant.

Endpoint policies path	Option(s)
Device Management Settings	Use CyberArk Identity for mobile device management (default yes)
Common Settings > Mobile Settings > Common	Report device installed applications
Common Settings > Mobile Settings > Restriction Settings	Permit camera use Permit user to unenroll devices Permit user to wipe devices Report mobile device location
iOS Settings > Restriction Settings	All
iOS Settings > Kiosk Mode	All
Touchdown Settings	All
Android Management Settings	All
OS X and iOS settings	All

If MDM is enabled on your tenant, CyberArk Identity provides mobile device management for enrolled Mac, iOS, and Android devices by default. The configuration setting is located in Policies > Endpoint Policies > Device Management Settings> Use CyberArk Identity Platform for mobile management drop-down options (Yes or No).

Refer to the following table for expected behavior when you change your MDM selection.

Operating system	Selection change	Behavior
iOS and Android	Yes > No (MDM > SSO only)	Devices remain enrolled in MDM until they are re-enrolled.
	No > Yes (SSO only > MDM)	Users are prompted to re-enroll their devices for MDM.
macOS	Yes > No (MDM > SSO only)	Devices remain enrolled in MDM until they are re-enrolled.
	No > Yes (SSO only > MDM)	Devices remain enrolled only for SSO until they are re-enrolled.

If you choose not to use CyberArk Identity for MDM, you can use a third-party MDM such as MobileIron, Airwatch, or Intune. If you use a third-party MDM, your users can still benefit from certificate-based authentication (CBA).

You can have only one mobile device management provider per device.

Use CyberArk Identity for Mobile Device Management

When you use CyberArk Identity for mobile device management, it allows you to do the following:

Define mobile device policies that CyberArk Identity automatically installs in the devices (see Manage device configuration policies).
Send commands from the Identity Administration portal to the device (see Use device management commands).

When you use CyberArk Identity for mobile device management, the device owner can also send many of the same commands to the devices from the user portal.
Deploy native iOS and Android mobile applications to the devices from the Identity Administration portal.
Configure Certificate-based authentication for CyberArk Identity access and applications launched inside and outside of the CyberArk Identity mobile app for both iOS and Android devices. On iOS devices, applications launched outside of the CyberArk Identity mobile app must use Safari browser for certificate-based authentication.

Use CyberArk Identity for single sign-on only

You can configure CyberArk Identity for single sign-on only if you do not need device management or you already use another MDM. When you use single sign-on only, you can do the following:

Assign web applications with single sign-on to users with Android and iOS devices.

Users must install the CyberArk Identity mobile app on their device to open the web applications from the device. Optionally, users can also assign web applications to their devices from the user portal. You manage this option using the Application policies—see Manage device configuration policies.
Create Policy sets to control device enrollment settings, conditional MFA, and authentication policies for launching applications.
Configure Certificate-based authentication for applications launched inside and outside of the CyberArk Identity mobile app for both iOS and Android devices. On iOS devices, applications launched outside of the CyberArk Identity mobile app must use Safari browser for certificate-based authentication.

When you use another service for mobile device management, CyberArk Identity does not provide the following features:

If you installed the CyberArk Identity Connector, the Idaptive Mobile and Installed Applications tabs are not added to the device’s Active Directory Properties.
This means you cannot send device management commands to a device from Active Directory Users and Computers.
The Idaptive Mobile tab is not added to the user’s Active Directory Properties.

This tab lists the devices enrolled by the user and lets you send commands to the devices.
Group policy profiles are not installed on the devices.

On Android devices, the CyberArk Identity mobile app does not have a Setup screen.
iOS devices do not have zero sign-on for applications launched in the Safari browser. Users must enter the username and password for the specific application. This limitation is caused by the Apple built-in certificate based authentication.

Users can still install the CyberArk Identity mobile app on their devices and get single sign-on to the web applications you assign to them. However, they are limited to which commands they can send to the device (see Use device management commands).

Use CBA with a third-party MDM

If you use a third-party MDM, you can still benefit from CyberArk Identity's certificate-based authentication. CyberArk Identity supports uploading an MDM-distributed certificate to enable conditional access to CyberArk Identity or web applications from managed devices. After logging in to a device that has a trusted certificate distributed by a third-party MDM, users can access CyberArk Identity without entering passwords or other MFA mechanisms. They simply go to your CyberArk Identity tenant URL in a supported browser and CyberArk Identity authenticates them using the certificate distributed by the MDM.

To enable certificate-based authentication for devices enrolled with a third-party MDM

Step 1: Upload the MDM-distributed certificate to the CyberArkIdentity Administration portal.

The certificate distributed by the MDM must be issued by a trusted CA.

Go to Settings > Authentication > Certificate Authorities, then click Add on the Trusted Certificate Authorities page.
Add a name for your certificate by entering a name. Decide how you want the user login extracted and select from:
- Principal Name from Subject Alternate Name
- RFC 822 Name Subject Alternate Name
- User Name from Subject
Choose the CA Chain by selecting the Browse button and selecting the certificate chain.

The uploaded file must contain all certificates required to establish chain trust from a user certificate. If chain trust verification requires intermediate authorities, package all required certificates in p7b format, and upload the p7b file. The p7b file should contain all intermediate authorities chaining up to a root authority.
Click Save.

Step 2: Create an authentication policy conditional on Certificate Authentication

Go to Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.
Click Authentication Policies > CyberArk Identity.
Select Yes in the Enable authentication policy controls drop-down.
Click Add Rule.

The Authentication Rule window appears.
Click Add Filter on the Authentication Rule window.
Select Certificate Authentication from the Filter drop-down menu and set the Condition to Is Used, then click Add.
Select the authentication profile that you want applied if Certificate Authentication is true.

In this example, certificate authentication will bypass other authentication rules and the default profile, so the selected profile is not important.
In the Default Profile (used if no conditions matched) drop-down, select a default profile to apply if certificate authentication is not available.

The authentication profile is where you define the authentication methods. If you don't have an appropriate authentication profile yet, select Add New Profile to create one. See Create authentication profiles for more information.
Under Other Settings, select Use certificates for authentication and Certificate authentication bypasses authentication rules and default profile, then click Save.

Users with a trusted certificate distributed by a third-party MDM can now access the User Portal.

You can also use certificate-based authentication with web apps and native applications based on modern auth, or you can enforce additional authentication factors for devices using certificate-based authentication.

Configure MFA for certificate-based authentication

Secure apps with MFA

Possible next steps

Manage policy sets

Enroll devices

Manage adaptive MFA

Add and deploy mobile applications

The CyberArk Identity Browser Extension

Configure user self-service options

Install the CyberArk Identity Connector