Setting up Entrust derived credentials after registration

If device users do not set up Entrust derived credentials when they register their device, they can set them up later. The procedure is different than the procedure at registration.

A device user does the following tasks:

Getting a QR code and Entrust activation password
Getting Entrust derived credentials on the device

Getting a QR code and Entrust activation password

The user gets a QR code and Entrust activation password from your Entrust self-service portal. This portal is specific to your set up. Therefore, the following steps are general steps. They do not include wording and navigation specific to your Entrust self-service portal.

Procedure 

1. Connect a smart card reader, with a smart card inserted, to a desktop computer.
2. On the desktop, open a browser and enter the https:// URL for your Entrust self-service portal.
3. Login to the portal with the smart card certificate.
4. When prompted, enter the PIN for the smart card.
5. Select the option to enroll for derived credentials using the PIV-D Entrust app on Android or the PIV-D Manager app on iOS.
6. Provide a name for the new derived credential identity.

On iOS devices, Mobile@Work will use this name when displaying the derived credential. On Android devices, the PIV-D Entrust app will display this name.

7. Provide other information, if requested.

The Entrust self-service portal displays:

a QR code
an Entrust activation password

Leave the screen displaying on the desktop while continuing to the next task, which is on the device.

Getting Entrust derived credentials on the device

After using the Entrust self-service portal to get a QR (Quick Response) code and Entrust activation password, a device user uses the PIV-D Entrust app on Android devices and the PIV-D Manager app on iOS devices to get derived credentials on a device.

Getting Entrust derived credentials on an iOS device
Getting Entrust derived credentials on an Android device

Getting Entrust derived credentials on an iOS device

Procedure 

1. Install the PIV-D Manager app if it is not already installed:
a. Launch Apps@Work on the device.
b. Tap the listing for the PIV-D Manager app.
c. Tap Install.
d. On the pop-up, tap Install.

2. Launch the PIV-D Manager app.

2. If this is the first time you launch an AppConnect app on the device, follow the Mobile@Work instructions to create a secure apps passcode.

After you create the secure apps passcode, control returns to the PIV-D Manager app.

3. Tap on Entrust IdentityGuard. TODO: Assumed that you need to select Entrust. Check with app

The app displays a screen that uses the camera to scan the QR code, which is displaying on the desktop computer on the Entrust self-service portal.

4. Tap OK if you are prompted to allow the PIV-D Manager app to access the camera.
5. Point the camera at the QR code to scan it.

When the app has scanned the QR code, it prompts you to enter the Entrust activation password.

6. Enter the Entrust activation password, which is displaying on the desktop computer on the Entrust self-service portal.
7. Tap Activate.
8. Wait while the app validates the entry with Entrust.

When the validation is complete, the app displays a screen for setting the derived credential PIN. This PIN is used when the device user authenticates over Bluetooth to a Windows 10 computer with the derived credential.

9. Enter a new derived credential PIN and enter it again to confirm it.
10. Tap Done.

The app displays that the derived credential has been successfully activated.

11. Tap anywhere on the screen indicating success.

The app displays the derived credential, which is now available for AppConnect apps to use.

If you re-launch the PIV-D Manager app, a screen displays that activation was successful.

Getting Entrust derived credentials on an Android device

Procedure 

1. Launch the PIV-D Entrust app.
2. If prompted, enter the secure apps passcode.
NOTE: If the app opens to the screen for entering the Entrust activation passcode, close the keyboard and tap the Scan QR code button in the lower right-hand corner.
3. If prompted, allow the PIV-D Entrust app to take pictures and record video.
4. Point the camera at the QR code to scan it.

When the app has scanned the QR code, it prompts you to enter the Entrust activation password.

5. Enter the Entrust activation password, which is displaying on the desktop computer on the Entrust self-service portal.
6. Tap Activate.
7. Wait while the app validates the entry with Entrust.

When the validation is complete, the app displays a screen for setting the derived credential PIN. This PIN is used when the device user authenticates over Bluetooth to a Windows 10 computer with the derived credential.

8. Enter a new derived credential PIN and enter it again to confirm it.
9. Tap Done.

The PIV-D Entrust app displays the derived credential. The derived credential is now available for AppConnect apps to use.

Related topics 

"About the derived credential PIN" in Using Bluetooth for Entrust derived credential authentication on Windows