Create and configure an SDK profile with Derived Credential and assign the profile to Boxer. The SDK profile enables Boxer to fetch the Derived Credential certificates from the VMware PIV-D Manager application so that the device can use the certificates to access resources securely.

A Derived Credential is a client certificate that is generated (or issued) on a mobile device after end users prove their identity using their existing smart card (CAC or PIV) during the enrollment process.

When you set the Credential Source as Derived Credential on the Credential payload, Boxer imports the authentication, signing, and encryption certificates from the PIV-D application. The PIV-D certificate is then used to authenticate users against the Exchange Server or to fetch the SMIME certificates for signing and encryption of emails.


  1. Configure the SDK Profile.
    1. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Profiles select Add Profiles.
    2. Select SDK Profile.
    3. Select the desired Platform.
    4. Configure the profile's General Settings.
    5. Select the Credentials payload and select Configure.
    6. Set the Credential Source to Derived Credentials.
    7. Select the Key Usage based on how the certificate is used. Select Authentication, Signing, or Encryption.
      To add additional certificates, use the plus sign at the bottom of the profile window.
    8. Select Save and Publish.
  2. Assign the SDK Profile to Boxer.
    1. Navigate to Apps & Books > Native > Public > Add Application and add Boxer.
      If the Boxer application has already been added, you can skip the preceding step.
    2. Select Edit.
    3. Navigate to the SDK tab and set the SDK profile to the one configured with the derived credential source and key usage.
    4. Select Save and Assign.
    5. Create a smart group if you do not have one and modify your assignment.
    6. Under More Email Settings, set the authentication type to Certificate or Both.
      If you are configuring iOS Boxer with modern authentication using the AccountUseOauth key, then you must ensure that the authentication type is set to Basic instead of Certificate or Both. You must also configure a device profile with a Credential payload where the Credential Source is set to Derived Credential and Key Usage type to Authentication. If you have not configured modern authentication on iOS, then you can skip to the next step.
    7. Add a dummy Certificate Authorities.
    8. Under the Application Configuration, add the AppForceActivateSSO and the PolicyDerivedCredentials keys. For more information about these configuration keys, see Application Configurations for Workspace ONE Boxer.
    9. Select Add.