Create and configure an SDK profile with the derived credentials and assign the profile to Workspace ONE Cards. The SDK profile helps Cards to fetch the derived credential certificates from Workspace ONE PIV-D Manager. These certificates are used by devices to access resources securely.

A derived credential is a client certificate that is generated or issued on a mobile device after users prove their identity using their existing smart card (CAC or PIV) during the enrollment process.

When you set the Credential Source as Derived Credential on the Credential payload, Cards imports the authentication, signing, and encryption certificates from the PIV-D application. The PIV-D certificate is then used to authenticate users against the Exchange Server through CBA and dual authentication in Cards. For more information on the PIV-D application, see Workspace ONE PIV-D Manager Admin Guide.


  1. Configure the SDK profile.
    1. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Profiles and select Add Profiles.
    2. Select SDK Profile.
    3. Select a platform.
    4. Configure the profile's General Settings.
    5. Select the Credentials payload and select Configure.
    6. Set the Credential Source to Derived Credentials.
    7. Select the Key Usage based on how the certificate is used. Select Authentication, Signing, or Encryption.
    To add additional certificates, use the plus sign at the bottom of the profile screen.
    1. Select Save and Publish.
  2. Assign the SDK Profile to Cards.
    1. Navigate to Apps & Books > Native > Public > Add Application and add Workspace ONE Cards.
      If the Cards application has already been added, you can skip the preceding step.
    2. Select Edit.
    3. On the SDK tab, set the SDK profile to the one configured with the derived credential source and key usage.
    4. Select Save and Assign.