Setting up Purebred derived credentials on iOS devices

After device users register their devices with Ivanti Neurons for MDM, they can set up DISA Purebred derived credentials for use by AppConnect apps. The device user does the following tasks:

• Authenticating to the Ivanti Neurons for MDM Self-Service Portal with a smart card

• Generating the one-time registration PIN

• Installing Go for iOS

• Registering Go for iOS

• Installing the DISA Purebred Registration app

• Installing the PIV-D Manager app for iOS

• Getting a DISA Purebred derived credential

• Installing AppConnect apps for iOS

• Running AppConnect apps for iOS

Authenticating to the Ivanti Neurons for MDM Self-Service Portal with a smart card

A device user authenticates to the Ivanti Neurons for MDM Self-Service Portal with a smart card. This procedure is supported only on desktop computers. It is not supported with:

• mobile devices

• Firefox

This procedure assumes you have sent the device user an email invitation to register with Ivanti Neurons for MDM. The email provides a link to the Self-Service Portal sign-in page because you have configured both of the following for the device user:

• A Self Service Portal Authentication setting where the Self Service Portal Authentication Type is Certificate

• A Device Registration Setting where the Device Registration Authentication Type is PIN Only

Procedure 

1. Connect a smart card reader, with a smart card inserted, to a desktop computer.

2. On the desktop computer, point a supported browser to the link specified in the email.

3. Click Sign in with Certificate.

4. Select the certificate from the smart card.

5. When prompted, enter the PIN for the smart card.

Generating the one-time registration PIN

After signing in to the Ivanti Neurons for MDM Self-Service Portal, a device user requests a one-time registration PIN on the Portal.

1. Click Request a PIN.

   A one-time registration PIN displays.

2. Copy the registration PIN and user name to enter later into Go on the device.

Installing Go for iOS

Instruct your device users to install Go for iOS on their devices. Device users get the app from the Apple App Store.

Registering Go for iOS

The device user registers Go for iOS to Ivanti Neurons for MDM using the one-time registration PIN that the device user generated on the Ivanti Neurons for MDM Self-Service Portal.

Procedure 

1. Launch Go on the device.

2. Enter the user name.

3. Tap Next.

4. Enter the one-time registration PIN generated from the Ivanti Neurons for MDM Self-Service Portal.

5. Tap Sign In.

6. Follow the Go instructions to complete registration.

Installing the DISA Purebred Registration app

The DISA Purebred Registration app gets the Purebred derived credential and passes the credential’s certificates to the PIV-D Manager app, which in turn passes them to Go for iOS. Make sure the app is installed on applicable devices. Instruct the device users appropriately.

Installing the PIV-D Manager app for iOS

The device user installs the PIV-D Manager app for iOS. This app gets the DISA Purebred derived credential from the DISA Purebred Registration app, and passes the derived credential’s certificates to Go for iOS.

Procedure 

1. Launch the App Catalog on the device.

2. Tap the listing for the PIV-D Manager app.

3. Tap Install.

4. On the pop-up, tap Install.

Getting a DISA Purebred derived credential

The device user gets the DISA Purebred derived credential by using the DISA Purebred Registration app. Then the device user uses the PIV-D Manager app for iOS to import the derived credential’s certificates from the DISA Purebred Registration app. The PIV-D Manager app imports the authentication, signing, and encryption certificates, and then sends all the certificates to Go for iOS. These certificates overwrite any existing DISA Purebred derived credential certificates that the PIV-D Manager had previously sent to Go.

Procedure 

1. Launch the DISA Purebred Registration app.

2. Follow the app’s instructions to get a DISA Purebred derived credential.

3. Launch the PIV-D Manager app for iOS.

   The app switches control to Go, which prompts the device user to create a secure apps passcode.

4. Follow the Go instructions to create a secure apps passcode.

5. After creating the secure apps passcode, tap Done.

6. When Go switches back to the PIV-D Manager app, tap DISA Purebred.

7. Tap Import All.

8. Tap Browse.

9. Tap Locations.

10. Tap the Purebred option.

11. Tap the first entry.

12. Follow the instructions to import the derived credential to the PIV-D Manager app and send it to Go.

Installing AppConnect apps for iOS

The device user installs each AppConnect app for iOS that uses derived credentials.

Procedure 

1. Launch the App Catalog for iOS on the device.

2. Tap the listing for the AppConnect app.

3. Tap Install.

4. On the pop-up, tap Install.

Running AppConnect apps for iOS

To run an iOS AppConnect app, including Web@Work, Docs@Work, or Email+, the device user launches the app, and then enters the secure apps passcode if prompted by Go.The app then receives the derived credential from Go.

If an AppConnect app expects certificates from a derived credential but the derived credential is not available in Go, the app becomes unauthorized. Some apps, such as Web@Work, display the unauthorized message. It says: “Missing required credentials. Please ensure you provisioned the credentials”.