Purebred is a mobile application developed and managed by the Defense Information Systems Agency (DISA). It offers a secure and scalable way to distribute PIV-D certificates on compatible mobile devices.
The Purebred Registration application acts as a certificate delivery source for Workspace ONE Boxer. It helps Boxer to use the Purebred PIV-D certificates for authentication and S/MIME functionality (signing, encryption, or both). This application stores its certificates in the Android KeyStore and shares the alias information of the certificates with Boxer.
With Purebred as a certificate source, you can configure Boxer for the following authentication modes:
As an admin, configure Workspace ONE Boxer to support Purebred as a certificate source for the managed Android devices.
You can determine how Workspace ONE Boxer can use the Purebred Registration application as a source for derived credential certificates. To do so, you must configure Boxer using the Workspace ONE UEM console version 2003 or below with the following key-value pair.
If you are deploying Boxer using the Workspace ONE UEM console version 2004 or higher, you must apply the following steps:
Enable Purebred for Certificate-based authentication.
a. In the Boxer Assignment screen, navigate to Email Settings > Authentication > Advanced.
b. Set the authentication type to Certificate.
c. Select Purebred as Derived Credentials.
Enable Purebred for S/MIME certificates.
a. Navigate to Email Settings > S/MIME and add the certificate source as Derived Credentials.
b. Select Purebred as an issuer name.
Note: iOS supports Workspace ONE PIV-D Manager instead of the Purebred Registration application for the derived credential certificates. As an admin, you must push the certificates to the VMware PIV-D Manager application using the Workspace ONE UEM console.
Android has the ability to install applications through sideloading, which can be an easy way for any unauthorized application to act as Purebred and get installed on the device. To mitigate such security risk, you can configure Workspace ONE Boxer to authenticate the Purebred Registration application using the Purebred public signing key. To do so, you must enable the AppPurebredPublicKey KVP in the Workspace ONE UEM console. When enabled, this key can easily override the signing key because Purebred is a non-Play Store application.
As a user, you must configure Workspace ONE Boxer to access the Purebred Registration application and grant access to each certificate that is installed on the device using Purebred. The Purebred Registration application installs the derived credential certificates directly in the device trust store.
Ensure that your device is registered with the Purebred Registration application and all the certificates are installed on your device.
When you launch the Boxer application, Tap Ok to allow Boxer to access the Purebred Registration application to fetch all the certificate-related data. You can view the list of certificates that Boxer requires upon tapping.
For each certificate, tap Grant Access. You must grant access to all the listed certificates.
After you grant access to all the listed certificates, an Android driven dialogue box pops up with the pre-selected certificate. If you do not see any pre-selected certificate, it means that either of the following things has happened:
To view the certificate details, Tap View certificate.
To select the certificate you want to use for authentication, tap Next. If your admin has configured Boxer to use Purebred for S/MIME, you only have to grant access to the certificates, and after all the certificates have been granted, the screen closes automatically.
On the Authentication Certificate Picker screen, you can use select another certificate to authenticate your account if you do not want to use the pre-selected certificate.
To continue with the rest of the Boxer's onboard process, tap Next.