Setting up Entrust derived credentials during registration

When device users register their devices with MobileIron Core, they can set up Entrust derived credentials for use by AppConnect apps. The device user does the following tasks as part of this registration and derived credential setup process:

Authenticating to the user portal with a smart card
Generating the one-time registration PIN
Requesting an Entrust derived credential
Installing Mobile@Work
Registering Mobile@Work for iOS
Registering Mobile@Work for Android and installing Android AppConnect apps
Installing the PIV-D Manager app for iOS
Activating the Entrust derived credential requested on the user portal
Installing AppConnect apps for iOS
Running AppConnect apps for iOS
Running AppConnect apps for Android

Authenticating to the user portal with a smart card

A device user authenticates to the user portal with a smart card. This procedure is supported only on desktop computers. It is not supported with:

mobile devices
Firefox

Procedure 

1. Connect a smart card reader, with a smart card inserted, to a desktop computer.
2. On the desktop computer, point a supported browser to https://<Your MobileIron Core domain>.

For example: https://core.mycompany.com

3. Click Sign in with Certificate.
4. Select the certificate from the smart card.
5. When prompted, enter the PIN for the smart card.

Generating the one-time registration PIN

After signing in to the user portal, a device user generates a one-time registration PIN on the user portal.

Procedure 

1. Click Request Registration PIN.

A form called Request Registration PIN displays.

2. For Platform, select iOS or Android, depending on the device.
3. Fill in the remaining required fields.
4. Click Request PIN.

A registration PIN displays along with the user name.

5. Copy the registration PIN and user name to enter later into Mobile@Work on the device.

IMPORTANT: Do not register the device until after you request a derived credential and receive the Entrust activation password.

Requesting an Entrust derived credential

After the device user has generating the one-time registration PIN, the device user must request an Entrust derived credential before registering the device.

To request an Entrust derived credential, the device user continues on the self-service user portal on the screen that confirms that the registration PIN was successfully generated.

Procedure 

1. Click Request Derived Credential.

The user portal redirects the browser to the Entrust.IdentityGuard Self-Service Module, which requests the user to enter their smart card’s PIN to access the site.

2. On the Entrust.IdentityGuard Self-Service Module, follow the steps to request a derived credential. These steps are specific to your Entrust setup.

Important:

a. Copy the Entrust activation password to enter later in the PIV-D Entrust app on the device.
b. Click Done to return to the MobileIron Core self-service user portal.

The Entrust Identity Guard Self-Service Module redirects the browser back to the MobileIron Core self-service user portal.

About an Entrust derived credential requested from the user portal

An Entrust derived credential (and its Entrust activation password) typically expire after a short time, such as 30 minutes (configurable in your Entrust Identity Guard Self-Service Module setup). Furthermore, the derived credential that is requested from the self-service user portal is associated with the registration PIN just generated. Therefore, consider these scenarios:

The Entrust derived credential expires before the device user registers a device.

If the device user registers with the existing registration PIN, the user must request and activate a new derived credential as described in Setting up Entrust derived credentials after registration. Alternatively, the device user can generate a new registration PIN and request another derived credential.

The Entrust derived credential expires after the device user registers a device.

The device user must request and activate a new derived credential as described in Setting up Entrust derived credentials after registration.

Installing Mobile@Work

Instruct your device users to install the Mobile@Work for iOS app or Mobile@Work for Android app on their devices. Typically, device users download the iOS app from the Apple App Store, and the Android app from Google Play. However, if your environment provides Mobile@Work for iOS through the MobileIron Core App Catalog, instruct the device users appropriately.

Registering Mobile@Work for iOS

The device user registers Mobile@Work for iOS to MobileIron Core using the one-time registration PIN that the device user generated on the user portal. The device user must also have requested an Entrust derived credential on the user portal.

Procedure 

1. Launch Mobile@Work on the device.
2. Enter the user name.
3. Enter the MobileIron Core address

For example: core.mycompany.com

4. Enter the one-time registration PIN generated from the user portal.
5. Tap Register.
6. Follow the Mobile@Work instructions to complete registration.

Registering Mobile@Work for Android and installing Android AppConnect apps

The device user registers Mobile@Work for Android to MobileIron Core using the one-time registration PIN that the device user generated on the user portal. The device user must also have requested an Entrust derived credential on the user portal.

The registration process concludes with:

Installing the Secure Apps Manager, the PIV-D Entrust app, and any other mandatory AppConnect apps that you have assigned to this device.

Because these apps are specified as mandatory apps in the MobileIron Core App Catalog, they are all installed.

Creating the secure apps passcode.

Procedure 

1. Launch Mobile@Work on the device.
2. Enter your email address or tap Or register with server URL to enter the MobileIron Core address, such as core.mycompany.com.
3. Tap Next.
4. If prompted, accept the certificate.
5. Tap Continue on the screen about privacy.
6. Enter the one-time registration PIN generated from the user portal.
7. Tap Sign In.
8. Follow the Mobile@Work instructions to complete its setup, leading you to the screen for setting up the Secure Apps Manager.
9. Tap Continue.
10. Tap Begin to install the Secure Apps Manager, the PIV-D Entrust app, and any other mandatory AppConnect apps that you have assigned to this device.
11. Follow the instructions to install the apps.

After the installations complete, the Passcode Setup screen displays.

12. Enter a new secure apps passcode.
13. Enter the secure apps passcode again.
14. Tap the checkmark.

Installing the PIV-D Manager app for iOS

The device user installs the PIV-D Manager app for iOS, which allows device users to activate the Entrust derived credential that they requested when they requested the MobileIron Core registration PIN. Device users can also use the app to request new Entrust derived credentials after they have already registered the device.

Procedure 

1. Launch Apps@Work on the device.
2. Tap the listing for the PIV-D Manager app.
3. Tap Install.
4. On the pop-up, tap Install.

Activating the Entrust derived credential requested on the user portal

The device user activates the Entrust derived credential that they requested on the MobileIron Core self-service user portal.

Activating the Entrust derived credential on iOS devices
Activating the Entrust derived credential on Android devices

Activating the Entrust derived credential on iOS devices

Procedure

1. Launch the PIV-D Manager app for iOS.

The app switches control to Mobile@Work, which prompts the device user to create a secure apps passcode.

2. Follow the Mobile@Work instructions to create a secure apps passcode.
3. After creating the secure apps passcode, tap Done.

Control switches back to the PIV-D Manager app.

4. Tap on Entrust IdentityGuard.

The app displays a screen that indicates that a new credential is ready for activation, and prompts for the Entrust activation password.

5. Tap Enter Password.

The app displays a screen for entering the Entrust activation password.

Enter the Entrust activation password.

6. Tap Activate.
7. Wait while the app validates the entry with Entrust.

When the validation is complete, the app displays a screen for setting the derived credential PIN. This PIN is used when the device user authenticates over Bluetooth to a Windows 10 computer with the derived credential.

8. Enter a new derived credential PIN and enter it again to confirm it.
9. Tap Done.

The app displays that the derived credential has been successfully activated.

10. Tap anywhere on the screen.

The app displays the derived credential, which is now available for AppConnect apps to use.

If you re-launch the PIV-D Manager app, a screen displays that activation was successful.

NOTE: If the Entrust activation password has expired, the PIV-D Manager app displays that an error occurred during activation. Tap Try Again to return to the Authentication required screen. Tap Scan QR code at the bottom of the screen to create a new derived credential. See Setting up Entrust derived credentials after registration.

Activating the Entrust derived credential on Android devices

Procedure 

1. Launch the PIV-D Entrust app.
2. If prompted, enter the secure apps passcode
3. Enter the Entrust activation passcode.
4. Tap Activate.
5. Wait while the PIV-D Entrust app validates the entry with Entrust.

When the validation is complete, the app displays a screen for setting the derived credential PIN. This PIN is used when the device user authenticates over Bluetooth to a Windows 10 computer with the derived credential.

6. Enter a new derived credential PIN and enter it again to confirm it.
7. Tap Done.

The app displays the derived credential. The derived credential, which includes three certificates, is now available for AppConnect apps to use.

NOTE: If the Entrust activation password has expired, the PIV-D Entrust app displays that an error occurred during activation. Tap Try Again to return to the screen for entering the activation password. Close the keyboard to reveal the icon for scanning the QR code. Tap the icon to create a new derived credential. See Setting up Entrust derived credentials after registration.

Related topics 

"About the derived credential PIN" in Using Bluetooth for Entrust derived credential authentication on Windows

Installing AppConnect apps for iOS

The device user installs each AppConnect app for iOS that uses derived credentials.

Procedure 

1. Launch Apps@Work for iOS on the device.
2. Tap the listing for the AppConnect app.
3. Tap Request.
4. Tap Install.

Running AppConnect apps for iOS

To run an iOS AppConnect app, including Web@Work, Docs@Work, or Email+, the device user launches the app, and then enters the secure apps passcode if prompted by [email protected] app then receives the Entrust derived credential from Mobile@Work.

NOTE: If an AppConnect app expects certificates from a derived credential but the derived credential is not available in Mobile@Work, the app becomes unauthorized. Some apps, such as Web@Work, display the unauthorized message. It says: “Missing required credentials. Please ensure you provisioned the credentials”.

Running AppConnect apps for Android

To run an Android AppConnect app, the device user launches the app, and then enters the secure apps passcode if prompted by the Secure Apps Manager. The app then receives the Entrust derived credential from the Secure Apps Manager.

NOTE: If an AppConnect app expects certificates from a derived credential but the derived credential is not available in the Secure Apps Manager, the app becomes unauthorized.