Purebred is a mobile application developed and managed by the Defense Information Systems Agency (DISA). It offers a secure and scalable way to distribute PIV-D certificates on compatible mobile devices.

The Purebred Registration application acts as a certificate delivery source for Workspace ONE Boxer. It helps Boxer to use the Purebred PIV-D certificates for authentication and S/MIME functionality (signing, encryption, or both). This application stores its certificates in the Android KeyStore and shares the alias information of the certificates with Boxer.

With Purebred as a certificate source, you can configure Boxer for the following authentication modes:

  • Certificate-based authentication (CBA)
  • Certificate-based authentication using modern authentication
  • Dual factor authentication (DCBA)

Set Up Purebred as Your Derived Credential Provider

As an admin, configure Workspace ONE Boxer to support Purebred as a certificate source for the managed Android devices.

You can determine how Workspace ONE Boxer can use the Purebred Registration application as a source for derived credential certificates. To do so, you must configure Boxer using the Workspace ONE UEM console version 2003 or below with the following key-value pair.

  • PolicyDerivedCredentials - Enable this key to use the Purebred Registration application as a certificate source for Certificate-based authentication (CBA).
  • PolicyDerivedCredentialsSMIME - Enable this key to use the Purebred Registration application as a certificate source for the S/MIME certificates (signing or encryption).

If you are deploying Boxer using the Workspace ONE UEM console version 2004 or higher, you must apply the following steps:

  1. Enable Purebred for Certificate-based authentication.

    a. In the Boxer Assignment screen, navigate to Email Settings > Authentication > Advanced.

    b. Set the authentication type to Certificate.

    c. Select Purebred as Derived Credentials.

  2. Enable Purebred for S/MIME certificates.

    a. Navigate to Email Settings > S/MIME and add the certificate source as Derived Credentials.

    b. Select Purebred as an issuer name.

Note: iOS supports Workspace ONE PIV-D Manager instead of the Purebred Registration application for the derived credential certificates. As an admin, you must push the certificates to the VMware PIV-D Manager application using the Workspace ONE UEM console.

Verifying Purebred Registration Application

Android has the ability to install applications through sideloading, which can be an easy way for any unauthorized application to act as Purebred and get installed on the device. To mitigate such security risk, you can configure Workspace ONE Boxer to authenticate the Purebred Registration application using the Purebred public signing key. To do so, you must enable the AppPurebredPublicKey KVP in the Workspace ONE UEM console. When enabled, this key can easily override the signing key because Purebred is a non-Play Store application.

Enroll Android Boxer with DISA Purebred

As a user, you must configure Workspace ONE Boxer to access the Purebred Registration application and grant access to each certificate that is installed on the device using Purebred. The Purebred Registration application installs the derived credential certificates directly in the device trust store.

Ensure that your device is registered with the Purebred Registration application and all the certificates are installed on your device.

  1. When you launch the Boxer application, Tap Ok to allow Boxer to access the Purebred Registration application to fetch all the certificate-related data. You can view the list of certificates that Boxer requires upon tapping.

  2. For each certificate, tap Grant Access. You must grant access to all the listed certificates.

    After you grant access to all the listed certificates, an Android driven dialogue box pops up with the pre-selected certificate. If you do not see any pre-selected certificate, it means that either of the following things has happened:

    • Certificates are missing from the trust store of your Android device.
    • Inconsistent certificate names.
    • The Original Equipment Manufacturer (OEM) has truncated the alias of the certificate. This scenario is common in Samsung devices, where the device truncates the certificate alias length to 50 characters and save it in the device trust store.
    • If Knox Container is enabled and certificates are installed into the container, then Knox appends Knox to the name of the certificate.
  3. To view the certificate details, Tap View certificate.

  4. To select the certificate you want to use for authentication, tap Next. If your admin has configured Boxer to use Purebred for S/MIME, you only have to grant access to the certificates, and after all the certificates have been granted, the screen closes automatically.

  5. On the Authentication Certificate Picker screen, you can use select another certificate to authenticate your account if you do not want to use the pre-selected certificate.

  6. To continue with the rest of the Boxer's onboard process, tap Next.

    Note:

    • If you have picked an incorrect certificate, you can return to the authentication certificate picker screen and adjust it to the correct one by using error handling process. But If your Boxer is configured for modern authentication, you can tap Back and select the right certificate.
    • Android can revoke access to certificates. This revocation might occur due to the following reasons:
      • The certificates are missing from the device trust store.
      • You have reinstalled the deleted certificate.
      • Android revokes permission.
        The Boxer application notifies you when it is unable to access the certificate in the device trust store. You can give Boxer access to the certificate by tapping the notification.
check-circle-line exclamation-circle-line close-line
Scroll to top icon