Deploy a device profile with a credentials payload to Android devices. The profile gets the certificates from Workspace ONE PIV-D Manager app so the device can use the certificates to securely access resources.


  1. Navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android (Legacy).
  2. Configure the profile's General settings.
  3. Select the Credentials profile and select Configure.
  4. Set the Credentials Source to Derived Credentials.
    Important: If you have at least one Credential Source set to Derived Credential, you cannot add credential sources other than derived credentials to the Credentials payload.
  5. Select the Key Usage based on how the certificate is used. Choose Authentication, Signing, or Encryption.
    To add additional certificates, use the plus sign at the bottom of the profile window.
  6. Add a Wi-Fi, VPN, Email, or other payload with which you want to associate the derived credential. Select the appropriate certificate just like with other credential sources.
    If you are configuring multiple payloads, create additional profiles instead of one profile containing multiple payloads and multiple derived credentials.
  7. Select Save and Publish.


The profile displays as pending in the Profiles List View.

What to do next

At this point, end users install and configure Workspace ONE PIV-D Manager on their Android device and the console pushes down and installs the device profile on the managed Android device. For more information, see Configure Workspace ONE PIV-D Manager on Devices.