You can use Purebred app credentials that are stored in the Android Keystore to authenticate users to other resources managed in the Workspace ONE UEM console.

A Purebred app stores its certificates with the Android Key Store and it shares the alias information of the certificates with the Workspace ONE Intelligent Hub installed on the device. The Workspace ONE Intelligent Hub uses the alias information when it deploys Workspace ONE UEM console profiles on devices.

With the shared alias information, users can authenticate to email and websites, and they can configure WiFi and S/MIME. You configure this feature by adding a custom setting, app config key-value pair to the default SDK profile assigned to the Workspace ONE Intelligent Hub for Android.


  • Use the Workspace ONE Intelligent Hub for Android, minimum v19.07.

Runtime Permissions

To access Purebred certificates, set runtime permissions. If runtime permissions were previously deactivated, then they must be allowed in the app settings to access the certificates. To update runtime permissions, follow these steps:
  1. Access the PIV-D app settings.
  2. On the App info screen, select Permissions.
  3. Select Additional Permissions.
  4. Select read alias.
  5. On the read alias permission screen, select Allow.


  1. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Settings.
  2. Select Enabled for Custom Settings.
  3. Enter {"PIVDProvider":"3"} in the Custom Settings text box to identify Purebred as the provider.
  4. Save your settings.
  5. Navigate to Groups & Settings > All Settings > Devices & Users > Android > Intelligent Hub Settings.
  6. Set the SDK Profile menu item to the default profile by selecting Android Default Settings @ Global.

What to do next

You must deploy a device profile to Android (Legacy) devices with Derived Credentials as the Credentials payload. For information, access Use Profiles to Control How Android (Legacy) Devices use Derived Credentials Certificates.