Device user tasks to use derived credentials

After you have configured MobileIron Core to support the use of derived credentials, the tasks that a device user does to use derived credentials depends on:

whether the device is Android or iOS
whether the derived credential provider is Entrust, DISA Purebred, or another provider

The tasks are listed in:

Device user tasks to use Entrust derived credentials
Device user tasks to use DISA Purebred derived credentials
Device user tasks to use another provider’s derived credentials

Note The Following:  

These task lists assume you use Apps@Work to distribute apps to iOS devices. However, using Apps@Work is not required. Various methods are available for device users to get the app on their iOS devices. Therefore, tasks related to using Apps@Work are optional.
These task lists assume that you want device users to register Mobile@Work using a registration PIN rather than with a user ID and password, since typically, device users who use smart cards do not have passwords. However, using a registration PIN is a requirement only with Entrust derived credentials. For other derived credential providers, it is not a requirement, and therefore the related tasks are optional.

Device user tasks to use Entrust derived credentials

1. Authenticate to the MobileIron Core self-service user portal with a smart card.
2. Generate a one-time registration PIN.
3. Request a derived credential from Entrust, which generates a one-time Entrust activation password.
4. Install Mobile@Work on the device.
5. Register Mobile@Work with MobileIron Core using the one-time registration PIN.
6. For Android devices, install the Secure Apps Manager for Android on the device, followed by the PIV-D Manager app, and any AppConnect apps.
7. For iOS devices, install the AppConnect apps on the device.
8. For iOS devices:
a. Install the PIV-D Manager app for iOS on the device.
b. Launch the PIV-D Manager app and select the Entrust option to activate the derived credential with the one-time Entrust activation password.
9. For Android devices:
a. Install the PIV-D Manager app for Android on the device.
b. Launch the PIV-D Manager app to activate the derived credential with the one-time activation password.
10. Use the AppConnect apps.

Device users who are already registered with MobileIron Core can get derived credentials by doing the following:

1. Get a QR code and Entrust activation password from the Entrust self-service portal.
2. Get a derived credential using the PIV-D Manager app for iOS or the PIV-D Manager app for Android.

The following diagrams summarize what happens when:

A device user requests a registration PIN and Entrust derived Credential
An iOS user activates an Entrust derived Credential
An Android user activates an Entrust derived Credential

 

Figure 1. A device user requests a registration PIN and Entrust derived Credential

 

Figure 2. An iOS user activates an Entrust derived Credential

 

Figure 3. An Android user activates an Entrust derived Credential

Device user tasks to use DISA Purebred derived credentials

Using DISA Purebred derived credentials is supported only on iOS devices.

1. Install the DISA Purebred Registration app on the device.
2. Authenticate to the MobileIron Core self-service user portal with a smart card.
3. Generate a one-time registration PIN.
4. Install Mobile@Work for iOS on the device.
5. Register Mobile@Work with MobileIron Core using the one-time registration PIN.
6. Install the AppConnect apps on the device.
7. Install the PIV-D Manager app for iOS on the device.
8. Launch the DISA Purebred Registration app to get the derived credential
9. Launch the PIV-D Manager app and select the DISA Purebred option to import the derived credential’s certificates from the DISA Purebred Registration app. The PIV-D Manager app then sends all the certificates to Mobile@Work.
10. Use the AppConnect apps.

The following diagram displays the what happens when the device user gets a DISA Purebred derived credential.

Figure 4. An iOS user activates a DISA Purebred derived credential

Device user tasks to use another provider’s derived credentials

Third-party derived credential apps are supported on iOS devices.

1. Authenticate to the MobileIron Core self-service user portal with a smart card.
2. Generate a one-time registration PIN.
3. Install Mobile@Work on the device.
4. Register Mobile@Work with MobileIron Core using the one-time registration PIN.
5. For iOS devices, install the third-party derived credential app for iOS and any AppConnect apps on the device.
6. Launch the derived credential app and follow its instructions.
7. Use the AppConnect apps.

Related topics 

Mobile device requirements for using derived credentials