Add and publish the Workspace ONE PIV-D Manager to devices as a public app. The app receives the derived credential certificates from the console so that the device can use them.

For details on how to use Workspace ONE PIV-D Manager to sign PDFs with derived credentials, see Sign PDFs with Workspace ONE PIV-D Manager for iOS.

Procedure

  1. Navigate to Resources > Apps > Native > Public and select Add Application.

    The Managed By text box displays the organization group where the app is uploaded.

  2. Select the desired platform.
  3. To find the application, select Search App Store from the Source field.
  4. To find the application in the app store, enter "VMware PIV-D Manager" as the keyword in the Name text box.
  5. Select the application from the app store result page.

    The Add Application window displays. It is not necessary to add further information.

  6. To move to the deployment section, select Save & Assign.

    You assign the app to devices and add optional app config parameters in the deployment section.

  7. Select the Assignment tab and Add Assignement.
  8. Enter a group that includes the devices that use your derived credential solution for Select Assignment Groups.
  9. Optional: Under the Application Configuration tab, enable Application Configuration and enter the listed Configuration Key and Value pairs. To insert lines, click the Add button.

    App config values parameters some manual configurations for the user on the device but they are not required for Workspace ONE PIV-D Manager to work.

    Table 1. Common App Config Key-Value Pairs

    Configuration Key

    Value Type

    Configuration Value

    Description
    AllowMultipleSets Boolean Setting to True enables Multiple Credential Sets. When Multiple Credential Sets are enabled, the Add New Credential Set button shows on the Certificate Sets Screen.
    AllowedProviderList Array

    1 = Entrust

    2 = Intercede

    3 = Purebred

    4 = Xtec

    5 = Workspace ONE UEM

    6 = YubiKey

    7 = AuthentX ID by Xtec

    		 Controls the number of providers shown. In the app, it is a way of pre-selecting the list of providers for the end user in Workspace ONE PIV-D Manager. The default shows all providers. Values correspond to a given provider. The administrator sets the provider value from the following available options: 1, 2, 3, 4, 5, 6, 7.
    CertificateExpiryWarning String Your custom warning message for when a certificate is about to expire. The default warning message is displayed there is no custom warning message.
    CertificateExpiryWarningPeriod Integer

    Enable = Any numerical value greater than 0

    Disable = 0

    The default value is 30 days when nothing is manually set.
    ConnectorAppName String Select an application name that can be used by a back end connector to Workspace ONE UEM.

    To select a lookup value from the list or enter fixed text such as "VMware PIV-D", click +.

    This configuration key is only supported by the Intercede provider.
    ConnectorDeviceIdentifier String Select a device identifier that can be used by a back end connector to Workspace ONE UEM.

    To select a lookup value, such as {DeviceUid}, from the list, click +.

    This configuration key is only supported by Entrust and Intercede providers.
    EnableEntrustBluetoothLogin Boolean

    True = On

    False = Off

    		 When you enable this value, the PIN policy defined in the Entrust system is honored instead of the key defined here.
    EnableManualCertificateImport Boolean

    True = On

    False = Off

    		 Enables integrations with XTec to import the certificates from web browser downloads using the download portal website for customers.
    EnablePDFSigning Boolean

    True = On

    False = Off

    		 Enable apps like Mail, Workspace ONE Boxer, or Adobe Acrobat Reader, to sign a PDF document using the derived credential in Workspace ONE PIV-D Manager.
    PersistentTokenExtensionAllowed Boolean Settings to True enables the Persistent token extension and PIV-D Manager acts as a CTK Provider, by default the Persistent Token Extension is not allowed.
    PersistentTokenExtensionTimeOutSeconds Integer Checking to maintain an up-to-date policy setting in case the enterprise changes policy. The default is 86400 (24 hours, in seconds).
    PIVDConfig Array

    0 = Off

    1 = On

    		 Workspace ONE PIV-D Manager prompts the end user for an app token from the Self Service Portal before letting them proceed with fetching an SDK profile and certificate. This feature only works when the PIVDProvider configuration key value is 5 (Workspace ONE UEM).

    PIVDInstructions

    		String The instructional text for the end user.

    A brief single string instruction for the end user to prepare them for using the app to activate/provision/import derived credentials from the provider.

    PIVDPromptForPIN

    		Boolean

    True = On

    False = Off

    Workspace ONE PIV-D Manager prompts the end user for the PIN even if you enable SSO.
    PIVDProvider Integer

    1 = Entrust

    2 = Intercede

    3 = Purebred

    4 = Xtec

    5 = Workspace ONE UEM

    6 = YubiKey

    7 = AuthentX ID by Xtec

    		 This numeric value corresponds to a given provider. Workspace ONE UEM sends the value to the app to pre-configure the provider for the assigned end users.
    UserPresenceProtection Boolean The default setting is True.

    Setting to False does not require the user to authenticate using the Device Passcode or Biometrics (Touch ID / Face ID) to access the CTK tokens.

    All providers support this configuration key except YubiKey.
    Table 2. iOS App Config Key-Value Pairs
    Key Value Type Description
    PinDisallowDuplicate Boolean Setting to True checks for duplicate characters next to each other in the pin protecting the certificate store.
    PinDisallowSequential Boolean Setting to True checks for a sequence of characters going up or down in value (123, 321, abc) in the pin protecting the certificate store.
    PinLengthMinimum Integer The minimum character length for the pin protecting the certificate store.

    For iOS devices, the minimum required PIN length is six characters.
    PinLowercaseMinimum Integer The minimum number of lowercase characters for the pin protecting the certificate store.
    PinNumbersMinimum Integer The minimum number of number characters for the pin protecting the certificate store.
    PinSpecialCharMinimum Integer The minimum number of special characters for the pin protecting the certificate store.

    Supported characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
    PinUppercaseMinimum Integer The minimum number of uppercase characters for the pin protecting the certificate store.
  10. Select Add to assign the app to the devices in the assignment group and then save and publish Workspace ONE PIV-D Manager as a managed application.