What you configure on MobileIron Cloud to use derived credentials

The following list shows the high-level configuration tasks necessary on MobileIron Cloud to support derived credentials for AppConnect.

Figure 1. High-level Configuration Tasks on Admin Portal

The following table provides more details. The table:

  • Describes each configuration task related to derived credentials that is necessary on MobileIron Cloud.

  • Indicates to which derived credential providers and device platform (iOS, Android AppConnect) the task applies.

  • Provides a cross-reference to the detailed steps for each task.

NOTE: The task list assumes that you want device users to register MobileIron Go using a registration PIN rather than with a user ID and password, since typically, device users who use smart cards do not have passwords. However, using a registration PIN is a requirement only with Entrust derived credentials. For other derived credential providers, it is not a requirement, and therefore the related tasks are optional.

 

Table 1. Derived credentials configuration tasks on MobileIron Cloud

Task

Notes
1. Allow device users to authenticate to the MobileIron Cloud self-service user portal with the identity certificate on their smart cards.

Related topics 

Configuring certificate authentication to the MobileIron Cloud Self-Service Portal

Allowing certificate authentication includes uploading to Cloud a valid issuing (CA) certificate or a valid supporting certificate chain.

Entrust

This task is required for Entrust derived credentials, because it is a prerequisite for configuring Cloud to use the Entrust IdentityGuard Self-Service Module (SSM) URL.

All other derived credentials providers

Although not strictly required for other derived credential providers, device users who use smart cards typically do not have passwords. Therefore, if you want them to be able to access the self-service user portal to, for example, generate a registration PIN, this step is required.

IMPORTANT: The certificate that you upload to MobileIron Cloud is not immediately available for device users to authenticate against. It is only available for authentication after the next MobileIron Cloud upgrade. Contact MobileIron Technical Support to ask MobileIron to make your certificate available for use after the next upgrade.
2. Provide the Entrust IdentityGuard Self-Service Module (SSM) URL to MobileIron Cloud.

Related topics 

Configuring the Entrust IdentityGuard SSM Module URL

Entrust

MobileIron Cloud uses this URL to get derived credentials from Entrust. The device user will use the PIV-D Manager app for iOS or the PIV-D Manager app for Android to activate the derived credential on a device.
3. Allow device users to register MobileIron Go on their devices to MobileIron Cloud using a one-time registration PIN.

Related topics 

Configuring PIN-based registration

Entrust

This task is required for Entrust derived credentials because device users need a registration PIN to request an Entrust derived credential.

All other derived credentials providers

Although not strictly required for other derived credential providers, device users who use smart cards typically do not have passwords. Therefore, if you want them to be register MobileIron Go using a one-time registration PIN, this step is required.
4. Configure Identity Certificate Configurations that use derived credentials.

Related topics 

Configuring an identity certificate for derived credentials

All derived credential providers

The activated derived credentials are stored in MobileIron Go for iOS or Secure Apps Manager for Android. Each of these components provides an identity certificate from the derived credential to the AppConnect app. You configure an AppConnect app to use derived credentials by referencing an Identity Certificate Configuration that specifies using derived credentials. The reference to the Identity Certificate Configuration is in the app’s AppConnect Certificate Configuration.

You configure an Identity Certificate Configuration for one of these purposes, as needed: authentication, signing, or encryption.
5. Set up the App Catalog web clip for device users.

Related topics 

Configuring the App Catalog web clip for iOS

All derived credential providers

iOS only

You use the App Catalog web clip on devices to distribute apps from the MobileIron Cloud App Catalog.
6. Configure AppConnect.

Related topics 

Configuring AppConnect for iOS

Configuring AppConnect for Android

All derived credential providers

Configuring AppConnect allows device users to use AppConnect apps, including the derived credential app.
7. Add the derived credential app to the App Catalog on MobileIron Cloud.

Related topics 

Adding the PIV-D Manager app for iOS to the App Catalog

Adding a third-party iOS derived credential app to the App Catalog

Adding the PIV-D Manager app for Android to the App Catalog

Entrust on Android

Add the PIV-D Manager app for Android to the App Catalog on MobileIron Cloud.

Entrust and DISA Purebred on iOS

Add the PIV-D Manager app for iOS to the App Catalog on MobileIron Cloud

Other derived credential providers on iOS

Add the appropriate third-party derived credential app to the App Catalog on MobileIron Cloud.
8. Configure the PIV-D Manager app for iOS.

Related topics 

Adding the PIV-D Manager app for iOS to the App Catalog

Configuring the PIV-D Manager app for iOS for analytics

Configuring the PIV-D Manager app for iOS for feedback

iOS only

Configure the PIV-D Manager app for iOS as follows:

Entrust

Configure the Entrust activation URL that MobileIron Cloud sends to the PIV-D Manager app so that the app can activate the device user’s derived credentials.
Configure a unique device identifier that the PIV-D Manager app sends to the Entrust IdentityGuard server. The identifier allows an administrator to determine which device contains a given derived credential, allowing control around auditing and revocation.

DISA Purebred

Configure the PIV-D Manager app to support DISA Purebred derived credentials.

For both Entrust and DISA Purebred

Configure the PIV-D Manager app to turn on or off analytics reporting.
Configure the PIV-D Manager app to allow the device user to send feedback to a specified email address.
9. Configure the PIV-D Manager app for Android.

Related topics 

Adding the PIV-D Manager app for Android to the App Catalog

Entrust

Android only

Configure the PIV-D Manager app for Android to:

receive the Entrust activation URL from MobileIron Cloud so that it can activate the device user’s derived credentials.
send a unique device identifier to the Entrust IdentityGuard server. The identifier allows an administrator to determine which device contains a given derived credential, allowing control around auditing and revocation.
10. Configure a third-party iOS derived credential app.

Related topics 

Adding a third-party iOS derived credential app to the App Catalog

Derived credential providers other than Entrust or DISA Purebred

Derived credential providers other than Entrust or DISA Purebred

iOS only

You configure an iOS third-party derived credential app to receive app-specific settings from MobileIron Cloud, as defined by the app vendor or developer.
11. Add the AppConnect apps that will use the derived credential to the App Catalog on MobileIron Cloud.

These AppConnect apps can include Web@Work, Docs@Work, Email +, and in-house AppConnect apps.

Related topics 

Adding Web@Work for iOS to the App Catalog

Adding Web@Work for Android to the App Catalog

Adding Docs@Work for iOS to the App Catalog

Adding Docs@Work for Android to the App Catalog

Setting up Email+ to use derived credentials

Adding in-house iOS AppConnect apps to the App Catalog

Adding Android AppConnect apps to the App Catalog

All derived credential providers

When you add each AppConnect app that uses derived credentials to the App Catalog, you specify in its AppConnect Certificate Configuration which derived credential identity certificate to use.