Deploy a device profile with a credentials payload to Android devices. The profile gets the certificates from the Workspace ONE PIV-D Manager app so the device can use the certificates to access resources.

The current implementation of Workspace ONE PIV-D Manager for Android does not support native email with derived credentials. It does support using Workspace ONE Boxer with derived credentials.


Use the Workspace ONE Intelligent Hub for v19.10 or later for Android (Enterprise) support.


  1. Navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android.
  2. Configure the profile's General settings.
  3. Select the Credentials profile and select Configure.
  4. Set the Credentials Source to Derived Credentials.
    Important: If you have at least one Credential Source set as Derived Credential, you cannot add credential sources other than derived credentials to the Credentials payload.
  5. Select the Key Usage based on how the certificate is used. Choose Authentication, Signing, or Encryption.
    To add additional certificates, use the plus sign at the bottom of the profile window.
  6. To associate the derived credential, add a Wi-Fi or VPN payload.
    If you are configuring multiple payloads, consider configuring Wi-Fi and VPN separately instead of one profile containing multiple payloads and multiple derived credentials.
  7. Select Save and Publish.


The profile displays as pending in the Profiles List View.

What to do next

At this point, end users install and configure Workspace ONE PIV-D Manager on their Android device and the console pushes down and installs the device profile on the managed Android device. For more information, see Configure Workspace ONE PIV-D Manager on Devices.