Setting up Purebred derived credentials on iOS devices

After device users register their devices with MobileIron Cloud, they can set up DISA Purebred derived credentials for use by AppConnect apps. The device user does the following tasks:

Authenticating to the MobileIron Cloud Self-Service Portal with a smart card
Generating the one-time registration PIN
Installing MobileIron Go for iOS
Registering MobileIron Go for iOS
Installing the DISA Purebred Registration app
Installing the PIV-D Manager app for iOS
Getting a DISA Purebred derived credential
Installing AppConnect apps for iOS
Running AppConnect apps for iOS

Authenticating to the MobileIron Cloud Self-Service Portal with a smart card

A device user authenticates to the MobileIron Cloud Self-Service Portal with a smart card. This procedure is supported only on desktop computers. It is not supported with:

mobile devices
Firefox

This procedure assumes you have sent the device user an email invitation to register with MobileIron Cloud. The email provides a link to the Self-Service Portal sign-in page because you have configured both of the following for the device user:

A Self Service Portal Authentication setting where the Self Service Portal Authentication Type is Certificate
A Device Registration Setting where the Device Registration Authentication Type is PIN Only

Procedure 

1. Connect a smart card reader, with a smart card inserted, to a desktop computer.
2. On the desktop computer, point a supported browser to the link specified in the email.
3. Click Sign in with Certificate.
4. Select the certificate from the smart card.
5. When prompted, enter the PIN for the smart card.

Generating the one-time registration PIN

After signing in to the MobileIron Cloud Self-Service Portal, a device user requests a one-time registration PIN on the Portal.

1. Click Request a PIN.

A one-time registration PIN displays.

2. Copy the registration PIN and user name to enter later into MobileIron Go on the device.

Installing MobileIron Go for iOS

Instruct your device users to install MobileIron Go for iOS on their devices. Device users get the app from the Apple App Store.

Registering MobileIron Go for iOS

The device user registers MobileIron Go for iOS to MobileIron Cloud using the one-time registration PIN that the device user generated on the MobileIron Cloud Self-Service Portal.

Procedure 

1. Launch MobileIron Go on the device.
2. Enter the user name.
3. Tap Next.
4. Enter the one-time registration PIN generated from the MobileIron Cloud Self-Service Portal.
5. Tap Sign In.
6. Follow the MobileIron Go instructions to complete registration.

Installing the DISA Purebred Registration app

The DISA Purebred Registration app gets the Purebred derived credential and passes the credential’s certificates to the PIV-D Manager app, which in turn passes them to MobileIron Go for iOS. Make sure the app is installed on applicable devices. Instruct the device users appropriately.

Installing the PIV-D Manager app for iOS

The device user installs the PIV-D Manager app for iOS. This app gets the DISA Purebred derived credential from the DISA Purebred Registration app, and passes the derived credential’s certificates to MobileIron Go for iOS.

Procedure 

1. Launch the App Catalog on the device.
2. Tap the listing for the PIV-D Manager app.
3. Tap Install.
4. On the pop-up, tap Install.

Getting a DISA Purebred derived credential

The device user gets the DISA Purebred derived credential by using the DISA Purebred Registration app. Then the device user uses the PIV-D Manager app for iOS to import the derived credential’s certificates from the DISA Purebred Registration app. The PIV-D Manager app imports the authentication, signing, and encryption certificates, and then sends all the certificates to MobileIron Go for iOS. These certificates overwrite any existing DISA Purebred derived credential certificates that the PIV-D Manager had previously sent to MobileIron Go.

Procedure 

1. Launch the DISA Purebred Registration app.
2. Follow the app’s instructions to get a DISA Purebred derived credential.
3. Launch the PIV-D Manager app for iOS.

The app switches control to MobileIron Go, which prompts the device user to create a secure apps passcode.

4. Follow the MobileIron Go instructions to create a secure apps passcode.
5. After creating the secure apps passcode, tap Done.

Control switches back to the PIV-D Manager app.

6. Tap DISA Purebred.
7. Tap Import All.
8. Tap Browse.
9. Tap Locations.
10. Tap the Purebred option.
11. Tap the first entry.
12. Follow the instructions to import the derived credential to the PIV-D Manager app and send it to MobileIron Go.

Installing AppConnect apps for iOS

The device user installs each AppConnect app for iOS that uses derived credentials.

Procedure 

1. Launch the App Catalog for iOS on the device.
2. Tap the listing for the AppConnect app.
3. Tap Install.
4. On the pop-up, tap Install.

Running AppConnect apps for iOS

To run an iOS AppConnect app, including Web@Work, Docs@Work, or Email+, the device user launches the app, and then enters the secure apps passcode if prompted by MobileIron Go.The app then receives the derived credential from MobileIron Go.

NOTE: If an AppConnect app expects certificates from a derived credential but the derived credential is not available in MobileIron Go, the app becomes unauthorized. Some apps, such as Web@Work, display the unauthorized message. It says: “Missing required credentials. Please ensure you provisioned the credentials”.