You can sign PDFs with your derived credentials using Workspace ONE PIV-D Manager.

Signing PDFs with Workspace ONE PIV-D Manager has some limitations.

  • PIV-D records that PDFs are signed, but it does not validate the signatures.
  • Workspace ONE PIV-D Manager uses a single signing certificate that can be used for multiple signatures. It does not support the use of multiple signing certificates for PDF signing.

Prerequisites

  • The PDF must have a signature element (allows digital signing).
  • Your deployment must use Workspace ONE PIV-D Manager for iOS v1.5 or later.
  • The corresponding certificate in Workspace ONE PIV-D Manager for iOS must have the keyUsage attribute for signing and non-repudiation.
  • Device users need a keystore PIN. Users configure their keystore PINs when they activate and import their derived credential certificates. The keystore PIN is different from the Workspace ONE PIV-D Manager passcode.
    Important: Users get six attempts to enter their PINs. On the sixth incorrect PIN entry, the Workspace ONE PIV-D Manager app wipes all data.

Procedure

  1. Admins configure the Workspace ONE PIV-D Manager app in the Workspace ONE UEM console.
    1. Navigate to Apps & Books > Native > Public and edit the Workspace ONE PIV-D Manager app in the view list.
    2. Add the key value pair, EnablePDFSigning as a Boolean data type with the value of true.
    3. Push the Workspace ONE PIV-D Manager to deploy the PDF signing feature.
  2. Users copy the applicable PDF file into the Workspace ONE PIV-D Manager app for signing on their devices.
    1. On their devices, users open the applicable PDF file in the app that usually renders PDFs (Workspace ONE Boxer, Mail, or Adobe Acrobat Reader).
    2. Copy the PDF file from the usual app using the app's Share capability to Workspace ONE PIV-D Manager.
      The PDF opens in the Workspace ONE PIV-D Manager app.
    3. In the PDF that opens in Workspace ONE PIV-D Manager, choose where you want your signature, and select Sign.

      Workspace ONE PIV-D Manager prompts users for the keystore PIN. Users configured this PIN when they activated and imported their derived credential certificates.

      If users enter an incorrect PIN, Workspace ONE PIV-D Manager does not sign the PDF. Users must enter their PIN again. The maximum number of failed attempts is 6.

    4. Users have several options to store their signed PDFs.
      • Users can import the signed PDF to another app for saving on their devices.
      • Users can save the signed PDF in Workspace ONE PIV-D Manager for 30 days.

        This option enables users to open another app and import the signed file from Workspace ONE PIV-D Manager during those 30 days.