We’re trying to use Ivanti Secure Connect VPN configured with checking Intune for compliance. The Ivanti Secure Connect appliance checks Intune for device compliance status and then the client checks for a Client Authentication certificate from Intune to verify the identity of the device. The certificate the client is looking for is an Extended Key Usage (EKU) type of Client Authentication. Intune places two certificates with this EKU on the device, and the Ivanti Pulse Secure client is unable to automatically pick which certificate it should use so it prompts the user. One certificate is the one for the Intune MDM Agent and the other is for the Intune MDM Device. Has anyone else been down this road? Any ideas on how to get the client to check for only the correct cert automatically?
I dont have a direct answer to your question OP. I am very sorry. But for the sake of getting something off my chest
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
Don’t use the Ivanti VPN. Yes, this vuln has been mitigated, but they have had a LOT of vulnerabilities over the last little while with this little product. We currently use their EPM core and they just had a vulnerability with their CSA that requires us to completely rebuild it.
If you can, i say abandon ivanti. I’ve taken my Mac’s and done all that i can to keep them divorced from the VPN AND from any ivanti product. It’s a move that takes time, but you will be much better off for down the road.
In a sane world, your MDM should be enough 
and if you need some kind of network routing, go with a Twingate. A hard sell i know.
Doesn’t hurt to dream, right?
Not only do they have a lot of vulnerabilities but the company has had so many PR disasters… https://www.reddit.com/r/SCCM/comments/16gtgyl/patchmypc_wins_lawsuit_from_ivanti/
The fact is most of their product lines are things they bought using similar methods and then didn’t do much to upkeep them, hence you get security holes based on code from 2000.
Good luck OP
Can confirm, Ivanti is a classic legacy enterprise vendor. At least twice as expensive but at best half as good. They have stamped out quality engineering and consistently prefer marketing and sales (for a range of products that really have no value if they don’t work correctly). It’s incredible how they still exist.
tell me about it. and even their new solutions like Neurons arent feature complete without their legacy garbage solutions like EPM. and they have the gall to say its enough to rival device management systems like Jamf or Intune.
when they told us that, i had an audible laugh on mute with my coworkers XD good times
you wanna know whats completely wild to me? we have regular tech checkins on our products with them (because they dont work on our windows fleet). and every week we have one, without fail, 10 minutes in, they pitch us their Neurons solution.
the kicker here? you HAVE to have EPM to use it to its fullest. Neurons isnt feature complete as an MDM or deployment system. and its a separate, steeper licencing cost.
oh, but if you heard the guys in our meeting, you woudl think Neurons has had a lot of improvments since i last checked on it a month ago. nope, same garbage ass product.
needless to say we are leaving them, but it will take us a long time to get there :?
Not to mention that the VPN product have been bought and sold so many times I forget the entire history:
Juniper > Pulse Secure > Ivanti
So far, they have been really good at buying things that are bad (i.e. Workspace Control, Pulse Secure) and spending their time and effort on branding rather than making them not bad. What’s extra dumb about it, is that it was bad way before they were signing contracts, and years later it is still bad. They must have known all of this from the beginning and not have the willpower or capacity to do something about it.
I suppose they are just working on collecting as much bad software as they can, gotta catch them all.