VMware Workspace ONE® PIV-D Manager works with YubiKey. Use the PIV-D Manager mobile app to authenticate end users with YubiKey credentials and sign PDF documents on a mobile device with credentials from a YubiKey accessory.

Prerequisites

Before you begin, you need the following:

  • An enrolled device

    Enroll the Workspace ONE Intelligent Hub and PIV-D Manager apps in the usual way, or by following instructions from your enterprise administrator.

  • An accessory with installed credentials

    Your enterprise administrator might issue you with an accessory with an installed credential, or provide you with enrollment instructions. Otherwise, you can install an electronic certificate yourself.

    To install a certificate yourself, you need the following:
    • Suitable management software that can downloaded from the Yubico website.
    • Accessory management keys. YubiKey accessories come configured with default keys. Use those keys unless the accessory has been reconfigured.
    • Electronic certificate. The certificate must have the key usages: Digital Signature and Non-Repudiation.

To verify that the certificate is suitable for PDF signing, use the PIV-D Manager app.

You can register your YubiKey accessory for use with the PIV-D Manager app on your device by following these instructions.

The Persistent Device Token Extension supports YubiKey. For information, see Persistent Device Token Extension.

Register Your YubiKey Accessory

Complete these steps to authenticate credentials and electronically sign PDFs on a mobile device.

  1. Open the PIV-D app. Opening the app might require you to enter a passcode or authenticate another way.
  2. Open the product selection screen. The first screen shown by PIV-D might be the product selection screen.
  3. Select Product: YubiKey.
  4. Follow the on-screen instructions for connecting the accessory, either by USB or NFC. PIV-D only accesses the public details of the certificate at this stage and you won’t need to enter the accessory PIN. When the accessory has been accessed, the Certificates screen opens in the PIV-D app. The certificate from the accessory should be listed there.
    Note: Be careful not to trigger Yubico OTP (One-Time Passcode) entry. Triggering the OTP might cause the browser app to open. If the browser app opens, then return to the PIV-D app. To avoid triggering the OTP, try holding the accessory in a different way.
  5. Select the certificate name and verify the attributes are as required. The Subject must show the common name (CN) that you want to appear on signed documents. The Key Usage line must show both Digital Signature and Non-Repudiation.

    If any attributes are not as required, then a different certificate must be loaded on the accessory. Return to your administrator or generate and install an amended certificate of your own.

Sign a Document With a YubiKey Accessory

Complete these steps to electronically sign a document.

  1. Ensure that your YubiKey device is registered.
  2. Share a signable PDF file with PIV-D.
  3. Tap the sign button and confirm if prompted.
  4. Follow the on-screen instructions for connecting the accessory, either by USB or NFC. PIV-D accesses the private key of the certificate at this stage and you are prompted to enter the accessory PIN.
    Note: Be careful not to trigger Yubico OTP (One-Time Passcode) entry. Triggering the OTP might cause the browser app to open. If the browser app opens, then return to the PIV-D app. To avoid triggering the OTP, try holding the accessory in a different way.
  5. Ensure that the signature is entered correctly.