To use the derived credentials feature, you must create a virtual smart card to use when you log in to a server and connect to a remote desktop. One virtual smart card can hold multiple certificates.


  • Verify that the client device, remote desktops, RDS hosts, Connection Server host, and other Horizon components meet the smart card authentication requirements. See Smart Card Authentication Requirements.
  • Verify that the device has a passcode. A passcode is required to create a virtual smart card.
  • Use VMware Workspace ONE PIV-D Manager for iOS v22.10 or later, or a third-party mobile app such as Purebred to issue the certificate to the client device, create a derived credential and provision the credential on the client device.

If you are using Workspace ONE PIV-D Manager, you must meet these requirements:

  • VMware Workspace ONE PIV-D Manager for iOS v22.10 and later.
  • Devices with iOS 15 or later and iPadOS 15 or later.
  • Persistent tokens enabled. To do this:
    1. Create a local text file named config.txt.
    2. Add this line to the file and save it: EnablePersistentTokens=True.
    3. Sync this file to the public folder for Horizon Client for iOS using Finder. (Horizon Client for iOS has published its Document directory).
  • Set the following Application Configuration on Workspace ONE UEM when sending Derived Credentials from the Console to iOS Devices. For details on PersistentTokenExtensionAllowed, UserPresenceProtection, and PIVDPromptForPIN and how to set them, see: Send Derived Credentials from the Console to iOS Devices in the Workspace ONE PIV-D Manager guide.
    • Required: Set PersistentTokenExtensionAllowed to True to enable the Persistent token extension. This allows PIV-D Manager to act as a CTK Provider.
    • Optional: Set UserPresenceProtection and PIVDPromptForPIN to False and enable SSO to avoid redundant authentication.


  1. Tap Settings at the bottom of the Horizon Client window.
  2. Tap Derived Credentials and then tap Create new virtual smart card.
  3. Perform device authentication.
    • If either Touch ID or Face ID is enabled, authenticate with Touch ID or Face ID.
    • If neither Touch ID nor Face ID is enabled, authenticate with a passcode.
  4. Enter and confirm a PIN for the virtual smart card.
  5. Tap Continue and import the certificate.
    1. Tap PIV Authentication Certificate.
    2. Select the Purebred Key Chain location.
      Note: If using VMware WorkSpace ONE PIV-D Manager, you can skip this step.
    3. Select the certificate to import.
      Note: If you cannot find the certificate in the Purebred Key Chain location, check that Purebred was configured successfully.
  6. (Optional) To import a digital signature certificate or encryption certificate after you import the PIV authentication certificate, tap Digital Signature Certificate or Encryption Certificate and follow the prompts.
  7. To create the virtual smart card, tap Done.
    The derived credential appears in the Settings window. The Use Derived Credentials setting is set to on.
  8. To create another virtual smart card for a different Horizon environment, tap Create new virtual smartcard and repeat these steps.

What to do next

Pair a Virtual Smart Card with Smart Card Middleware.