Setting up Entrust derived credentials during registration
When device users register their devices with MobileIron Cloud, they can set up derived credentials for use by AppConnect apps. The device user does the following tasks as part of this registration and derived credential setup process:
Authenticating to the MobileIron Cloud Self-Service Portal with a smart card
A device user authenticates to the MobileIron Cloud Self-Service Portal with a smart card. This procedure is supported only on desktop computers. It is not supported with:
This procedure assumes you have sent the device user an email invitation to register with MobileIron Cloud. The email provides a link to the Self-Service Portal sign-in page because you have configured both of the following for the device user:
|
•
|
A Self Service Portal Authentication setting where the Self Service Portal Authentication Type is Certificate |
|
•
|
A Device Registration Setting where the Device Registration Authentication Type is PIN Only
|
Procedure
|
1.
|
Connect a smart card reader, with a smart card inserted, to a desktop computer. |
|
2.
|
On the desktop computer, point a supported browser to the link specified in the email. |
|
3.
|
Click Sign in with Certificate. |
|
4.
|
Select the certificate from the smart card. |
|
5.
|
When prompted, enter the PIN for the smart card. |
Generating the one-time registration PIN and requesting a derived credential
After signing in to the MobileIron Cloud Self-Service Portal, a device user requests a one-time registration PIN and a derived credential from Entrust.
|
NOTE:
|
Do not register the device until after you request a derived credential and receive the Entrust activation password. |
Procedure
|
1.
|
Click Request PIN and Derived Credential. |
The MobileIron Cloud Self-Service Portal redirects the browser to the Entrust IdentityGuard Self-Service Module, which requests the user to login with their smart card to access the site.
|
2.
|
On the Entrust.IdentityGuard Self-Service Module, follow the steps to request a derived credential. These steps are specific to your Entrust setup. |
As part of these steps, be sure to:
|
a.
|
Copy the Entrust activation password to enter later in the PIV-D Manager app on the device. |
|
b.
|
Click Done to return to the MobileIron Cloud Self-Service Portal. |
The Entrust Identity Guard Self-Service Module redirects the browser back to the MobileIron Cloud Self-Service Portal.
A registration PIN displays.
|
3.
|
Copy the registration PIN to enter later into MobileIron Go on the device. |
About a derived credential requested from the MobileIron Cloud Self-Service Portal
A derived credential (and its Entrust activation password) typically expire after a short time, such as 30 minutes (configurable in your Entrust Identity Guard Self-Service Module setup). Therefore, consider these scenarios:
|
•
|
The derived credential expires before the device user registers a device. |
If the device user registers with the existing registration PIN, the user must request and activate a new derived credential as described in Setting up Entrust derived credentials after registration. Alternatively, the device user can generate a new registration PIN and request another derived credential.
|
•
|
The derived credential expires after the device user registers a device. |
The device user must request and activate a new derived credential as described in Setting up Entrust derived credentials after registration.
Installing MobileIron Go
Instruct your device users to install the following apps, depending on whether they use iOS or Android:
|
•
|
iOS: MobileIron Go for iOS |
Device users get the app from the Apple App Store.
|
-
|
MobileIron Go for Android |
|
-
|
the Secure Apps Manager app |
Device users get the MobileIron Go from Google Play. The Secure Apps Manager app is bundled in MobileIron Go and installs as a separate app on the device.
Registering MobileIron Go for iOS
The device user registers MobileIron Go for iOS to MobileIron Cloud using the one-time registration PIN that the device user generated on the MobileIron Cloud Self-Service Portal.
Procedure
|
1.
|
Launch MobileIron Go on the device. |
|
4.
|
Enter the one-time registration PIN generated from the MobileIron Cloud Self-Service Portal. |
|
6.
|
Follow the MobileIron Go instructions to complete registration. |
Registering MobileIron Go for Android and installing Android AppConnect apps
To register to MobileIron Cloud, device users must first generate a one-time registration PIN and request a derived credential using the MobileIron Cloud Self-Service Portal. Then device users launch MobileIron Go on the device and enter:
|
•
|
the one-time registration PIN |
For Android AppConnect, device users then follow MobileIron Go instructions to install the Secure Apps Manager. The Secure Apps Manager gives instructions to:
|
•
|
create the secure apps passcode. |
|
•
|
install the PIV-D Manager app and any other mandatory AppConnect apps that you have assigned to this device. |
Installing the PIV-D Manager app for iOS
The device user installs the PIV-D Manager app for iOS, which allows device users to activate the derived credential that they requested when they requested the MobileIron Cloud registration PIN. Device users can also use the app to request new derived credentials after they have already registered the device.
Procedure
|
1.
|
Launch the App Catalog on the device. |
|
2.
|
Tap the listing for the PIV-D Manager app. |
|
4.
|
On the pop-up, tap Install. |
Activating the Entrust derived credential requested on the Self-Service Portal
The device user activates the derived credential that they requested on the MobileIron Cloud Self-Service Portal.
The different procedures for iOS and Android devices are described in:
Activating the Entrust derived credential on an iOS device
Procedure
|
1.
|
Launch the PIV-D Manager app for iOS. |
The app switches control to MobileIron Go, which prompts the device user to create a secure apps passcode.
|
2.
|
Follow the MobileIron Go instructions to create a secure apps passcode. |
|
3.
|
After creating the secure apps passcode, tap Done. |
Control switches back to the PIV-D Manager app.
|
4.
|
Tap on Entrust IdentityGuard. |
The app displays a screen that indicates that a new credential is ready for activation, and prompts for the Entrust activation password.
The app displays a screen for entering the Entrust activation password.
Enter the Entrust activation password.
|
7.
|
Wait while the app validates the entry with Entrust. |
When the validation is complete, the app displays a screen for setting the derived credential PIN. This PIN is used when the device user authenticates over Bluetooth to a Windows 10 computer with the derived credential.
|
8.
|
Enter a new derived credential PIN and enter it again to confirm it. |
The app displays that the derived credential has been successfully activated.
|
10.
|
Tap anywhere on the screen. |
The app displays the derived credential, which is now available for AppConnect apps to use.
If you re-launch the PIV-D Manager app, a screen displays that activation was successful.
|
NOTE:
|
If the Entrust activation password has expired, the PIV-D Manager app displays that an error occurred during activation. Tap Try Again to return to the Authentication required screen. Tap Scan QR code at the bottom of the screen to create a new derived credential. See Setting up Entrust derived credentials after registration. |
Activating the Entrust derived credential on an Android device
Procedure
|
1.
|
Launch the PIV-D Manager app. |
|
2.
|
If prompted, enter the secure apps passcode |
|
3.
|
Enter the Entrust activation passcode. |
|
5.
|
Wait while the PIV-D Manager app validates the entry with Entrust. |
When the validation is complete, the app displays a screen for setting the derived credential PIN. This PIN is used when the device user authenticates over Bluetooth to a Windows 10 computer with the derived credential.
|
6.
|
Enter a new derived credential PIN and enter it again to confirm it. |
The app displays the derived credential. The derived credential, which includes three certificates, is now available for AppConnect apps to use.
|
NOTE:
|
If the Entrust activation password has expired, the PIV-D Manager app displays that an error occurred during activation. Tap Try Again to return to the screen for entering the activation password. Close the keyboard to reveal the icon for scanning the QR code. Tap the icon to create a new derived credential. See Setting up Entrust derived credentials after registration. |
Related topics
"About the derived credential PIN" in Using Bluetooth for Entrust derived credential authentication on Windows
Installing AppConnect apps for iOS
The device user installs each AppConnect app for iOS that uses derived credentials.
Procedure
|
1.
|
Launch the App Catalog for iOSon the device. |
|
2.
|
Tap the listing for the AppConnect app. |
|
4.
|
On the pop-up, tap Install. |
Running AppConnect apps for iOS
To run an iOS AppConnect app, including Web@Work, Docs@Work, or Email+, the device user launches the app, and then enters the secure apps passcode if prompted by MobileIron Go.The app then receives the derived credential from MobileIron Go.
|
NOTE:
|
If an AppConnect app expects certificates from a derived credential but the derived credential is not available in MobileIron Go, the app becomes unauthorized. Some apps, such as Web@Work, display the unauthorized message. It says: “Missing required credentials. Please ensure you provisioned the credentials”. |
Running AppConnect apps for Android
To run an Android AppConnect app, including Web@Work, Docs@Work, or Email+, the device user launches the app, and then enters the secure apps passcode if prompted by the Secure Apps Manager. The app then receives the derived credential from the Secure Apps Manager.
|
NOTE:
|
If an AppConnect app expects certificates from a derived credential but the derived credential is not available in the Secure Apps Manager, the app becomes unauthorized. |