Persistent Device Token Extension

The Persistent Device Token Extension, available through the CryptoTokenKit (CTK) framework, is a way to provide credentials for apps that are not a part of the Workspace ONE UEM platform. The Persistent Device Token Extension makes certificates accessible without depending on mobile device management or the managed certificate store.

Supported iOS and iPadOS versions

The Persistent Device Token Extension is supported on the following versions:

iOS 14 or later
iPadOS 14 or later

Persistent Device Token Extension Overview

The CTK framework includes support for always-available tokens, referred to as persistent tokens. The Persistent Device Token Extension provides responses based on requests from consumer apps. A consumer app might send a request for authentication, signing, encryption, or decryption. The Persistent Device Token Extension processes the request and sends a response without revealing the certificate information. For details on the CryptoTokenKit, see the Apple Developer website.

Note: Private key material is not exposed to the consumer app when using the Persistent Device Token Extension. Apps might have access to the private key. However, the apps do not have access to private key material.

The Persistent Device Token Extension can be used on managed and unmanaged devices to provide credentials for apps on that device. The Persistent Device Token Extension is available to any app on a device to use for any purpose. For example, a device has Workspace ONE UEM and Safari installed (outside of the Workspace ONE UEM platform). Although Safari is not integrated in Workspace ONE UEM, it can authenticate a website using a credential issued to PIV-D through the Persistent Device Token Extension.

The Persistent Device Token Extension supports YubiKey. For PIV-D Manager and YubiKey information, see PIV-D Manager and YubiKey for iOS.

Enable the Persistent Device Token Extension

The Persistent Device Token Extension is deactivated by default. Enable or deactivate the token extension on the Application Configuration tab in the PIV-D Manager.

For information on configuring the Persistent Token Extension, see the iOS App Config Key-Value Pairs section of Send Derived Credentials from the Console to iOS Devices.

Persistent Device Token Extension Time Out

The Persistent Device Token Extension times out when the PIV-D Manager is not running in the foreground of the device for an amount of time. The default duration of the time out is 24 hours. The duration is configured on the Application Configuration tab in the PIV-D Manager.

PIV-D Manager only receives configuration updates when the app UI is open in the foreground. Persistent Device Token Extension requests can be processed in the background. However, PIV-D Manager does not receive configuration updates (such as enabling or deactivating the token extension) in the background. For example, when the Persistent Device Token Extension is deactivated, the change does not update in the PIV-D manager while it runs in the background. To process configuration updates, run PIV-D manager in the foreground.

Persistent Device Token Extension Local Notifications

PIV-D Manager uses local notifications to prompt you to open the app when a Persistent Device Token Extension request cannot be processed in the background. For example, a notification with details shows when the Persistent Device Token Extension time out expires. If PIV-D Manager notifications are blocked on a device, then notification details are not shown.

When requests fail in the consumer app, the app might show an error message that does not identify the cause of failure relating to the Persistent Device Token Extension. For example, a browser might show a network connection lost error without referring to the Persistent Device Token Extension failure.

To receive detailed notifications, enable notifications from PIV-D Manager on the device.