Create and configure an SDK profile with Derived Credential and assign the profile to the Notebook application. The SDK profile enables Notebook to fetch the Derived Credential certificates from the Workspace ONE PIV-D Manager application so that the device can use the certificates to access resources securely.

A Derived Credential is a client certificate that is generated (or issued) on a mobile device after end users prove their identity using their existing smart card (CAC or PIV) during the enrollment process.

When you set the Credential Source as Derived Credential on the Credential payload, Notebook imports the authentication, signing, and encryption certificates from the PIV-D application. The PIV-D certificate is then used to authenticate users against the Exchange Server through CBA and dual authentication in Notebook.
Note: For more information on the PIV-D application, see Workspace ONE PIV-D Manager Admin Guide.


  1. Configure the SDK Profile.
    1. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Profiles select Add Profiles.
    2. Select SDK Profile.
    3. Select the desired Platform.
    4. Configure the profile's General Settings.
    5. Select the Credentials payload and select Configure.
    6. Set the Credential Source to Derived Credentials.
    7. Select the Key Usage based on how the certificate is used. Select Authentication, Signing, or Encryption.
      To add additional certificates, use the plus sign at the bottom of the profile window.
    8. Select Save and Publish.
  2. Assign the SDK Profile to Notebook.
    1. Navigate to Apps & Books > Native > Public > Add Application and add Workspace ONE Notebook.
      If the Notebook application has already been added, you can skip the preceding step.
    2. Select Edit.
    3. Navigate to the SDK tab and set the SDK profile to the one configured with the derived credential source and key usage.
    4. Select Save and Assign.