Device user tasks to use derived credentials
After you have configured Ivanti EPMM to support the use of derived credentials, the tasks that a device user does to use derived credentials depends on:
-
whether the device is Android or iOS
-
whether the derived credential provider is Entrust, DISA Purebred, or another provider
The tasks are listed in:
These task lists assume you use Apps@Work to distribute apps to iOS devices. However, using Apps@Work is not required. Various methods are available for device users to get the app on their iOS devices. Therefore, tasks related to using Apps@Work are optional.
These task lists assume that you want device users to register Mobile@Work using a registration PIN rather than with a user ID and password, since typically, device users who use smart cards do not have passwords. However, using a registration PIN is a requirement only with Entrust derived credentials. For other derived credential providers, it is not a requirement, and therefore the related tasks are optional.
Device user tasks to use Entrust derived credentials
-
Authenticate to the Ivanti EPMM self-service user portal with a smart card.
-
Generate a one-time registration PIN.
-
Request a derived credential from Entrust, which generates a one-time Entrust activation password.
-
Install Mobile@Work on the device.
-
Register Mobile@Work with Ivanti EPMM using the one-time registration PIN.
-
For Android devices, install the Secure Apps Manager for Android on the device, followed by the PIV-D Manager app, and any AppConnect apps.
-
For iOS devices, install the AppConnect apps on the device.
-
For iOS devices:
-
Install the PIV-D Manager app for iOS on the device.
-
Launch the PIV-D Manager app and select the Entrust option to activate the derived credential with the one-time Entrust activation password.
-
-
For Android devices:
-
Install the PIV-D Manager app for Android on the device.
-
Launch the PIV-D Manager app to activate the derived credential with the one-time activation password.
-
- Use the AppConnect apps.
- Device users who are already registered with Ivanti EPMM can get derived credentials by doing the following:
Get a QR code and Entrust activation password from the Entrust self-service portal.
Get a derived credential using the PIV-D Manager app for iOS or the PIV-D Manager app for Android.Device users who are already registered with Ivanti EPMM can get derived credentials by doing the following:
The following diagrams summarize what happens when:
Figure 1. A device user requests a registration PIN and Entrust derived Credential
Figure 2. An iOS user activates an Entrust derived Credential
Figure 3. An Android user activates an Entrust derived Credential
Device user tasks to use DISA Purebred derived credentials
Using DISA Purebred derived credentials is supported only on iOS devices.
-
Install the DISA Purebred Registration app on the device.
-
Authenticate to the Ivanti EPMM self-service user portal with a smart card.
-
Generate a one-time registration PIN.
-
Install Mobile@Work for iOS on the device.
-
Register Mobile@Work with Ivanti EPMM using the one-time registration PIN.
-
Install the AppConnect apps on the device.
-
Install the PIV-D Manager app for iOS on the device.
-
Launch the DISA Purebred Registration app to get the derived credential
-
Launch the PIV-D Manager app and select the DISA Purebred option to import the derived credential’s certificates from the DISA Purebred Registration app. The PIV-D Manager app then sends all the certificates to Mobile@Work.
-
Use the AppConnect apps.
The following diagram displays the what happens when the device user gets a DISA Purebred derived credential.
Figure 4. An iOS user activates a DISA Purebred derived credential
Device user tasks to use another provider’s derived credentials
Third-party derived credential apps are supported on iOS devices. On Android devices, the Intercede derived credential app is supported..
-
Authenticate to the Ivanti EPMM self-service user portal with a smart card.
-
Generate a one-time registration PIN.
-
Install Mobile@Work on the device.
-
Register Mobile@Work with Ivanti EPMM using the one-time registration PIN.
-
For Android devices, install the Secure Apps Manager for Android on the device, followed by the Intercede derived credential app, and any AppConnect apps.
-
For iOS devices, install the third-party derived credential app for iOS and any AppConnect apps on the device.
-
Launch the derived credential app and follow its instructions.
-
Use the AppConnect apps.