You can sign PDFs with a PIN, facial recognition, or fingerprint using Workspace ONE PIV-D Manager.

You can share documents with the Workspace ONE PIV-D Manager app to render and show the PDF document. If the PDF document contains a signature element, users can add a digital signature with the SIGNING derived credential. Users can save or share the signed documents with other PDF supporting apps using Android Sharesheet.

Workspace ONE PIV-D Manager adds a custom document provider to Android's Storage Access Framework (SAF). Users can access signed PDF documents while in other apps like Workspace ONE Boxer and Adobe Acrobat Reader with SAF.

Signing PDFs with Workspace ONE PIV-D Manager has some limitations.

  • Workspace ONE PIV-D Manager uses a single signing certificate that can be used for multiple signatures. It does not support the use of multiple signing certificates for PDF signing.

  • The system records that PDFs are signed but it does not validate signatures.

Prerequisites

  • The PDF must have a signature element (allows digital signing).

  • Your deployment must use Workspace ONE PIV-D Manager for Android v20.04 or later.

  • The corresponding SIGNING certificate in Workspace ONE PIV-D Manager for Android must have the keyUsage attribute set for digital signing and non-repudiation.

  • Device users need a keystore PIN. Users configure their keystore PINs when they activate and import their derived credential certificates. The keystore PIN is different from the Workspace ONE PIV-D Manager passcode.

Important:

Users get six attempts to enter their PINs. On the sixth incorrect PIN entry, the

Workspace ONE PIV-D Manager app wipes all data.

  • Facial recognition or fingerprint scanning must be configured on the device to utilize biometric signing.

  • Biometric Authentication for keystore also requires SSO to be ON.

Procedure

  1. Admins configure the Workspace ONE PIV-D Manager app in the Workspace ONE UEM console.
    1. Navigate to Resources > Apps > Native > Public and edit the Workspace ONE PIV-D Manager app in the view list.
    2. Add the key value pair, EnablePDFSigning as a Boolean data type with the value of true.
    3. (optional) Add the key value pair, EnableBiometricAuthentication as a Boolean data type with the value of true to allow for biometric signing. Adding this value pair gives you the option to enable biometric signing within PIV-D Application Settings.
    4. Push the Workspace ONE PIV-D Manager to deploy the PDF signing feature.
  2. Users share or import the applicable PDF file into the Workspace ONE PIV-D Manager app for signing on their devices.
    1. On their devices, users view the applicable PDF file in one of several ways.

      • Share the PDF from the app that usually renders PDFs, either Workspace ONE Boxer, Workspace ONE Content, or Adobe Acrobat Reader.

      • Import the PDF from the Android Storage Access Framework by selecting Floating Action Button (FAB) on the Signed Documents page.

      • Open an already-signed PDF in the Signed Documents page.

      The PDF opens in the Workspace ONE PIV-D Manager app and displays a SIGN button if single signature element is present or asks to select the signature elements if mutiple signature fields are present.

    2. In the PDF that is opened in Workspace ONE PIV-D Manager, users select Sign.

      Workspace ONE PIV-D Manager prompts users for the keystore PIN. Users configured this PIN when they activated and imported their derived credential certificates.

      If users enter an incorrect PIN, Workspace ONE PIV-D Manager does not sign the PDF. Users must enter their PIN again. The max number of attempts is 6.

    3. Users have several options to store their signed PDFs with Save and Share.

      • Save - Selecting this button stores the signed PDF in the Workspace ONE PIV-D Manager app. Users can access the saved document from the Signed Documents page. This button also makes the document accessible to all apps from the Storage Access Framework.

      • Share - Selecting this button shares the signed PDF with other PDF-apps through Android Sharesheet. This shared PDF is not stored in Workspace ONE PIV-D Manager.