VMware Workspace ONE® PIV-D Manager is a mobile application that integrates with various derived credential providers for use with devices managed by Workspace ONE UEM. Find out what a derived credential is and which solutions Workspace ONE PIV-D Manager supports.

What are Derived Credentials?

A derived credential is a client certificate generated on a mobile device (or issued) after an end user proves their identity by using their existing smart card (CAC or PIV) during an enrollment process.

Derived credentials provide government agencies and contractors with a solution for replacing smart card authentication on mobile devices to meet high security requirements in the government sector. Both the Department of Defense (DoD) and all federal civilian agencies must use smart cards for physical and network access. It is easy to integrate smart cards with laptops and desktops because laptops have built-in smart card readers, and desktops use USB-based smart card readers. Also, desktops and laptops support smart cards at the operating system level so any application that runs on the operating system can use the smart card. With the vast use of mobile devices as the primary method of access to internal resources, federally controlled information systems and applications changed how authentication is done.

To meet this need, NIST updated FIPS 201 standards to include Guidelines for Derived Personal Identification Verification (PIV) Credentials. This standard does not use the CAC or PIV Card like laptop and desktops. It provides guidelines for how to generate and use an alternative token. You can then implement and deploy the alternative token directly to mobile devices. This newly derived PIV credential is called a derived credential or PIV-D.

Supported Derived Credentials Solutions

Workspace ONE PIV-D Manager supports the listed PIV-D providers.

  • DISA Purebred
  • Entrust Identity Enterprise
  • Intercede MyID
  • AuthentX ID by Xtec
  • Workspace ONE UEM
  • Xtec
  • YubiKey

How does Workspace ONE PIV-D Manager work with DC Providers?

Flow showing how the PIV-D Manager works with derived credential providers.

Workspace ONE PIV-D Manager interacts with derived credential (DC) providers and Workspace ONE UEM components to make mobile derived credentials available for use in profiles and productivity apps.

  1. Users enroll with Workspace ONE UEM through the Workspace ONE Intelligent Hub on devices.
  2. Users get the Workspace ONE PIV-D Manager app from the Workspace ONE Intelligent Hub and install it on devices.
  3. Users authenticate with a Smartcard to a DC provider. The DC provider issues mobile derived credentials to users.
  4. Certificates for mobile derived credentials get added to the Workspace ONE PIV-D Manager app on devices. This process varies depending on the DC provider.
    • Android - The system encrypts the certificates and stores them in the Workspace ONE PIV-D Manager app.
    • iOS - The system encrypts the certificates and stores them in the iOS Keychain.
  5. Users can access apps and services on the device using the mobile derived credential.