MaaS360 PIV-D Derived Credentials with Entrust

Content

PIV-D support

MaaS360 integrates with Entrust, a leading provider of trusted identity and secure transaction technology solutions to allow the government agencies that use PIV security framework to extend that technology to iOS devices.

With this feature, the derived credentials are generated and stored on mobile devices, allowing the end users to directly access PIV-secured corporate resources such as emails, VPN, and Wi-Fi on the mobile devices.

Note: This feature is currently supported only on iOS MDM devices.

Set up PIV-D authentication

This section provides step-by-step instructions for administrators and end-users starting from generating the derived credentials to securely accessing corporate resources using the mobile devices.

Admin setup

1. Ensure Derived Credential Authentication service is enabled

The Derived Credential Authentication service is not enabled by default. To enable the service, contact MaaS360 support team.

2. Create MaaS360 secure policies

In the first phase of the series of enhancements, MaaS360 adds support for derived credentials (PIV-D) based authentication for Mail, VPN, or Wi-Fi.

To configure PIV-D based authentication for apps,

1. Navigate to Security > Policies and then open/create iOS MDM policy.
2. To enable PIV-D based authentication for Mail,
   1. Click ActiveSync in the left navigation panel.
   2. In the Identity Certificate field, select Derived PIV Credentials.
   3. Select Derived PIV Credentials in SMIME Signing Certificate and SMIME Encryption Certificates if PIV-D authentication is required for both encryption and signing. 

1. To enable PIV-D based authentication for Wi-Fi,
   1. Click Wi-Fi in the left navigation panel.
   2. In the Identity Certificate field, select Derived PIV Credentials.

1. To enable PIV-D based authentication for VPN,
   1. Click VPN in the left navigation panel.
   2. In the Identity Certificate field, select Derived PIV Credentials.

​​​​​​​

1. Save and publish the policies.

Result:  The policies wait until MaaS360 PIV-D app is installed and derived credentials reached the device.

3. Distribute MaaS360 PIV-D app

The MaaS360 PIV-D app must be exclusively distributed from MaaS360 App Catalog. To distribute the PIV-D app,

1. Navigate to Apps > Catalog.
2. Click Add > iTunes App Store app.
3. In the App Details section, select the MaaS360 PIV-D app.
4. In the Policies and Distribution section, distribute the MaaS360 PIV-D to the desired group(s).
5. Click Add.

Result: The MaaS360 PIV-D app is successfully distributed.

User setup

After mobile devices are enrolled, MaaS360 allows users to install the PIV-D app, and then activate, store, and renew derived credentials on the mobile devices.

1. Install PIV-D app

To install the PIV-D app, navigate to MaaS360 App Catalog and install MaaS360 PIV-D app.

2. Setup PIV-D app

To create derived credentials,

1. Launch the MaaS360 PIV-D app.
2. In the startup page, tap Get Started.

Result: If administrator restricted access to Entrust IdentityGuard Self Service Module over a VPN connection, the VPN Configuration screen is displayed.

Note: Do not close or keep the PIV-D application in the background when a loading icon (spinning wheel) appears on the screen.

3. Connect to a VPN. To connect, go to device Settings > General > VPN.

Note:

• If a VPN is unavailable in the path specified above, contact your administrator.
• Skip this step if Entrust IdentityGuard Self Service Module is directly accessible over the corporate network without requiring a VPN connection.

4. Select I confirm that VPN connection is established and tap Create Credentials.

Result: The Setup Instructions screen is displayed.

3. Create derived credentials

The derived credentials are created through Entrust portal using laptop/desktop.

To create smart credentials from laptop/desktop,

1. Log onto Entrust IdentityGuard Self Service portal.

Result: The Self-Administration Actions page is displayed.

2. Click I’d like to enroll for a derived mobile smart credential option.

Result: The Smart Credential enabled Application page is displayed.

3. Select I’ve successfully downloaded and installed the Smart Credential enabled application option and click Next.

Result: The Derived Mobile Smart Credential page appears.

4. Provide an appropriate identity name and click OK.

• Result: A QR code and PIN are successfully generated.
• Note: The activation must be completed within 3 minutes after generating QR code and PIN.

4. Activate derived credentials

To activate derived credentials,

1. After generating a QR code and PIN, open MaaS360 PIV-D app and tap Scan QR Code in Setup Instructions screen.

Result: A QR code scanner appears on the Add Credentials screen.

2. Use the scanner to scan the QR code.

Result: The Activate Credentials screen is displayed.

3. Provide the PIN that was generated on the Entrust portal and tap Activate.

Result: MaaS360 PIV-D app sends a request to Entrust server and successfully generates derived credentials.

Note:

• If the Entrust credentials are either changed, expired, revoked, or deleted, the new credentials must be activated again.
• Do not close or keep the PIV-D app in the background when a loading icon (spinning wheel) appears on the screen.

5. Renew credentials

To renew derived credentials,

1. Tap Renew on the Your Credentials (home) screen.

6. Access Resources

After activating derived credentials, close the MaaS360 PIV-D application. Open MaaS360 application to securely access corporate resources on the mobile devices.

Key points

• Administrators can restrict access to Entrust portal over a third-party VPN or Wi-Fi. For example, administrators can leverage the Cloud Extender tool to enforce the restriction.
• Administrators must ensure that MaaS360 for iOS app is installed, and the device is enrolled.
• To apply any policy changes pulled down to the device, users need to respond to the notification by opening the MaaS360 PIV-D app.